Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Home Health HIPAA Violation Costs $239,800!

March 30, 2016 by  
Filed under Home Health & Hospice

HIPAA Violation(March 29, 2016) Lincare, Inc., a provider of respiratory care, infusion therapy and medical equipment to in-home patients, will pay $239,800 in Civil Money Penalties (CMPs) for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule after a HHS Administrative Law Judge (ALJ) ruled in favor of the Office for Civil Rights (OCR).  This is only the second time in its history that OCR has sought CMPs for HIPAA violations and both times the CMPs have been upheld by the ALJ.

OCR’s investigation of Lincare began after an individual, who was the estranged husband of a Lincare employee, complained that she had left behind documents containing the protected health information (PHI) of 278 patients after she had moved out of their residence.  The Lincare employee kept documents containing patient PHI in her car while her husband had keys to the car and left documents behind in the home after moving.  Lincare did not learn the documents were missing until months later, when the employee’s estranged husband reported to Lincare and OCR, that he had the documents containing PHI in his possession.

I.  Lincare Was Alleged to Have Not Properly Safeguard PHI:

Under HIPAA, all covered entities, including home care providers, must protect the privacy rights of the PHI of those it treats and, in response, HHS implemented a “Privacy Rule,” which sets the standards for protecting PHI and requires covered entities to not disclose PHI and “must reasonably safeguard” PHI from “any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements.”

Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures to safeguard patient information that was taken offsite, although its employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Lincare had instructed its managers to maintain copies of the procedures manual “secured” in their vehicles so that company employees would have access to patient contact information if a center office were destroyed or became inaccessible.

The ALJ held that Lincare failed to develop and implement policies and procedures reasonably designed to protect its patients’ PHI while those documents were out of the office.

Under the ALJ’s ruling, all covered entities must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.

Lincare claimed that it had not violated HIPAA because the PHI was “stolen” by the individual who discovered it on the premises previously shared with the Lincare employee.  The ALJ rejected this argument, holding that under HIPAA, Lincare “was obligated to take reasonable steps to protect its PHI from theft.”

The court noted that even after Lincare learned of the breach, it took no steps to prevent further disclosure of PHI and its managers “did not seem to recognize they had a significant problem protecting PHI that was removed from the office.”

When asked whether Lincare had considered revising its policies to include specific guidelines for taking PHI out of its offices, the Corporate Compliance Officer responded that it had “considered putting a policy together that said thou shalt not let anybody steal your protected health information.”  Since sarcasm is seldom appreciated in a courtroom, the ALJ did not “consider this a serious response.”

II. Lincare Was Alleged to Have Failed to Develop or Implement Appropriate Policies and Procedures to Prevent the Improper Disclosure of PHI:

The ALJ held that providers must develop and implement adequate policies and procedures reasonably designed, taking into account the size and the type of activities undertaken by the covered entity to ensure compliance and again noted that such policies and procedures must be maintained “in written or electronic form.”

While Lincare had a written privacy policy that addressed maintaining records within the center offices, “no written policy even addressed staff’s protecting PHI that was removed from the offices.”

Lincare even revised its policies after it learned of the unauthorized disclosure but the revisions provided “no guidance to employees required to remove documents from the office’s secured storage space.”  Poorly written policies, as here, that are overly broad and provide “no usable guidance to employees,” do not satisfy the Privacy Rule requirements.

Lincare further claimed that it satisfied the HIPAA requirements because its employees were trained in privacy policies and “understood those policies, practices and procedures.”  The ALJ rejected that contention, holding that “even if training were flawless…staff training does not compensate for missing policies.  In addition to having policies and procedures in place, the covered entity must train all members of its workforce.”

In conclusion, it is imperative for all health care providers that provide services to patients outside of an institutional or clinical setting to develop and implement adequate policies and procedures, in written or electronic form, that are reasonably designed and specifically address the “type of activities,” such as protecting PHI “off-site,” to ensure compliance with the Privacy Rule.

HIPAA ViolationAnthony Cutrona, Esq. is a health law attorney with Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, San Antonio, TX, McAllen TX and Baton Rouge LA.  Our attorneys represent home health agencies, physicians, dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects. Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

HIPAA Security Risk Assessments are Essential

HIPAA Security Risk Assessment(September 29, 2014) In the last article, we discussed the importance of conducting HIPAA security risk assessments, as part of your obligations under the HIPAA Security rules. The importance of promptly conducting a risk analysis if it has not yet done cannot be overestimated, as the HHS Office for Civil Rights (OCR) has now announced that they intend to begin the next phase of audits in October 2014. When Covered Entity receives a data request letter from OCR, it will have only two weeks to respond, which will not be enough time to conduct a risk analysis at that point.

In this article we’ll discuss eight elements or considerations that OCR states must be addressed in a risk analysis.

I.  Scope of the Analysis:

In conducting a risk assessment, a health care provider must consider all of the potential risks to electronic protected health information (e-PHI). Covered Entities must consider how all e-PHI in their practice is created, used, stored, and transmitted. Thus, Covered Entities need to consider how they create, receive, access, and transmit e-PHI. This includes removable storage media such as floppy disks, CDs, flash or thumb drives, and smart phones. Covered Entities must also think about telephone calls, emails, faxes, and computer transmissions. Consider how many employees or personnel can access the data and whether those individuals are all on-site or if any are off-site.

II.  Document How Data is Collected, Stored, Maintained and Transmitted:

Covered Entities must identify and document where e-PHI is gathered, received, stored, maintained or transmitted. This can be done through interviews with staff members, a physical walk through of the office or practice location(s), or reviewing documentation.

III.  Identify and Document Potential Risks, Threats and Vulnerabilities:

Covered Entities must document the reasonably anticipated threats to e-PHI. Consider physical, environmental, natural, human and technological threats or risks. Environmental or natural threats should include natural disasters such as tornadoes, floods or earthquakes. Human threats are likely to be some of the greatest concern. These include current employees and contractors, ex-employees and contractors, visitors, and criminals such as thieves and hackers. Technological threats will include any known system vulnerabilities in the billing system or EMR/EHR, for example. Healthcare providers should contact the vendors of these systems to ask about any known vulnerabilities.

IV.  Identify and Evaluate Current Security Measures:

Covered Entities must document what security measures are already in place to guard e-PHI and whether those measures are installed, configured and used correctly. The level and extent of security measures will vary by the type and size of provider. As an example, list any anti-virus or firewall programs. Don’t forget to document physical security measures, such as security and alarm systems.

V.  Determine the Likelihood of the Occurrence of the Threats:

This element requires Covered Entities to consider the probability that the threats listed in step # 3 will occur. This can be done with a quantitative method (such as the percentage probability that a threat will occur) or a qualitative one (such as high, medium, low). A high probability of occurrence means that a threat is “reasonably anticipated” and thus will require a mitigation or protection against the threat occurring. For example, a healthcare provider may determine that there is a high probability of a break-in into the office or clinic. Thus, a mitigation such as an alarm or security system would be an example of a security measure that could be implemented pursuant to step # 4.

VI.  Determine the Potential Impact if a Threat Occurs:

Covered Entities must evaluate the impact that might result from a threat occurring. Again, this can be done using a quantitative or qualitative method. For example, a potential impact of a breach of a Covered Entity’s billing system might be loss of cash flow or cost to replace stolen computer equipment. This might be a high or severe impact. Another example could be unauthorized access to e-PHI by patients or visitors. This impact might be low or medium.

VII.  Determine the Level of Risk:

This step is accomplished by utilizing the data from steps 5 and 6. A very common method of documenting the level of risk is using a HIPAA risk assessment matrix (such as a 3 x 3 matrix) or “heat map”. Those threats or vulnerabilities with higher levels of risk are ones that a Covered Entity should focus on addressing or correcting sooner than those with lower levels of risk.

VIII.  Identify HIPAA Security Risk Assessment Measures and Document the Risk Analysis:

Once the Covered Entity has identified risks and assigned risk levels, it must identify tasks, actions or security measures to address those risks. In identifying security measures, the Covered Entity should consider factors such as effectiveness, requirements of the Covered Entity’ policies and procedures and other legislative or regulatory requirements (for example, state laws). If a Covered Entity identifies a security measure but decides not to implement it, the risk analysis should document why (for example, technologically not feasible, lack of knowledge or equipment, cost prohibitive, etc.)

The Security Rule also requires Covered Entities to document the risk analysis, but does not specify or require any particular format. Thus, the risk analysis can be documented via a report that lists elements # 1 through 7, summarizes the analysis, notes the results of each step, and identifies the security measures.

Two final very important comments. First, the Risk Analysis is NOT the process of implementing measures to address the risks identified. That is the risk management process under HIPAA, which is considered a separate activity. Second, the Risk Analysis is not a “do it once and forget about it” process. The Risk Analysis must be periodically revisited and reviewed to determine if the threats, vulnerabilities, impacts and potential security measures remain the same. A Covered Entity may bring new systems online, may open or close locations, or have major changes in personnel. The re-evaluation of a Covered Entity’s Risk Analysis ideally should occur on an annual basis. A very old and outdated Risk Analysis is basically equivalent to not having a Risk Analysis at all.

Heidi Kocher Healthcare AttorneyHeidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.

CMS and Contractors Must Address EHR Fraud Vulnerabilities

EHR fraud is a significant concern of CMS and its contractors.(February 7, 2014):  A new report from the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) finds that the Centers for Medicare and Medicaid Services (CMS) and its contractors have adopted few Medicare program integrity practices to address electronic health record (EHR) fraud vulnerabilities. These EHR fraud vulnerabilities include improper billing practices like copy-pasting (cloning) and over documentation. The Department of Health and Human Services, Office of Inspector General (OIG) recommended that CMS provide better guidance to Medicare contractors on detecting EHR fraud and direct those contractors to use providers’ audit logs, a valuable fraud detection tool when reviewing medical records.

I.     Electronic Health Records Have Largely Replaced Paper Medical Records:

EHRs are replacing traditional paper medical records with electronic records that document and store patient health information. They are patient-focused and instantly provide authorized users with real-time, secure information. EHRs may include administrative clinical data relevant to a patient’s care under a particular provider, such as patient statistics like age and weight, progress notes, medications, medical history, and clinical test results.[1] More importantly, the health information in these records can be created and managed by authorized providers in a digital format capable of being shared across various health care entities

II.     EHR Fraud Vulnerabilities:

EHRs facilitate the government’s goal of a health care system that strengthens the relationship between patients and their doctors.  The timeliness and availability of patient health information may enable providers to make better decisions and provide better care. However, misuse and other fraudulent practices are a significant concern with EHRs. Indeed, recently identified EHR fraud vulnerabilities will require CMS and its Medicare contractors to revise their traditional approaches to combating fraud and abuse in the health care industry.

For example, OIG recognized that “clues within the progress notes, handwriting styles, and other attributes that help corroborate the authenticity of paper medical records are largely absent in EHRs.” The report also found that tracing authorship and documentation in an EHR may not be as direct as tracing in a paper record. In fact, OIG noted that health care providers can use EHR software features to disguise the true authorship of the EHR and distort information in the record. These practices can lead to inflated health care claims and fraudulent submissions for reimbursement.

III.     A Number of Program Integrity Risks are Presented by EHR Utilization:

While the full extent of health care fraud is unknown, there is no doubt it is substantial. Indeed, estimates put the cost of health care fraud between $75 billion and $250 billion. Unfortunately, the promulgation of EHRs may enable more widespread instances of deceptive practices. Specific features of EHRs, if poorly designed or misused, can result in EHR fraud and improper billing schemes.

  • Cloning.

A common EHR documentation practice used to commit fraud is known as “copy-pasting” or “cloning”. Cloning allows authorized providers to select information from one source in an EHR and replicate it in another section. For example, a health care practitioner can use cloning as a useful tool to replicate elements of a patient’s demographics on each page of the EMR. Originally seen as beneficial, cloning can be an easy way to copy forward documentation that appears to be the same, or at least unchanged from a prior visit, in a patient’s medical record.  However, cloning is susceptible to misuse. When clinicians clone information but do not update it or ensure its accuracy, erroneous data may enter the patient’s medical record. In turn, inappropriate charges may be billed to patients or third-party health care payors. Likewise, improper cloning can facilitate attempts to upcode claims and duplicate or create fraudulent claims.

  • Overdocumentation.

Another EHR documentation practice used to perpetuate fraud includes “Overdocumentation.” Under this scheme, a clinician inserts false or irrelevant documentation into the EHR, creating the appearance of medically necessary information that supports billing at a higher level of service.  Overdocumentation typically occurs in EHR systems that auto-populate fields when using templates built into the system. It may also be seen in EHR programs that generate extensive documentation from the single click of a checkbox; if a provider does not properly edit the documentation, the information may be inaccurate. As a result, fraudulent records are produced and suggests that the clinician performed comprehensive services than were not actually rendered.

IV.     CMS Contractors Are Supposed to Play a Vital Role in Safeguarding the Integrity of the Medicare Program:

CMS’s Medicare Integrity Program (MIP) is designed to combat fraud, waste, and abuse. Misuse and deceptive practices divert billions of dollars that could otherwise be spent on the health and welfare of Medicare beneficiaries. To facilitate its efforts to address Medicare’s vulnerabilities to fraud, waste, and abuse, CMS relies on Medicare administrative and program integrity contractors.  These contractors perform various functions, such as paying claims, identifying improper Medicare payments, and investigating fraudulent activity.

Medicare Administrative Contractors (MACs) are primarily responsible for processing and paying Medicare claims. MACs educate Medicare providers on appropriate billing methods and are responsible for detecting and deterring fraud.  Zone Program Integrity Contractors (ZPICs) also focus on detecting and deterring Medicare fraud. ZPICs investigate providers that have filed potentially fraudulent claims, conducting prepayment reviews, postpayment audits, as well as unscheduled onsite visits.  Recovery Audit Contractors (RACs) are largely responsible for identifying and reducing Medicare improper payments by detecting and recouping improper payments made on claims for Medicare services.

Importantly, these Medicare contractors rely on beneficiary medical records for a significant amount of their program integrity work.  When providers shift from paper medical records to EHRs, MACs, ZPICs, and RACs will have to adjust their current techniques for identifying improper payments and investigating fraud.

V.     A Recent OIG Report Found that Medicare Vulnerabilities are not Being Effectively Addressed:

OIG undertook a study to determine whether CMS and its contractors were properly implementing Medicare program integrity practices in light of growing EHR adoption. Unfortunately, the report found that CMS and its contractors had adopted very few program integrity practices specific to EHRs.

  • Few CMS Contractors are Reviewing EHRs any Differently than Paper Medical Rercords.

EHR technology is making it easier to commit fraud. However, CMS and its contractors have not adjusted their program integrity practices for identifying and investing fraud in EHRs.  According to the OIG report, just two MACs and two ZPICs acknowledged that they conduct additional reviews of EHR documentation beyond what they do for paper records.  Moreover, the report found that audit logs are being severely underutilized. An audit log data is a unique function of EHRs. They help distinguish EHRs from paper medical records and can be a valuable tool in authenticating a medical record to support a claim.  Nonetheless, the report found that only 3 of the 18 Medicare contractors admitted using audit log data in their review process.

  • Few CMS Contractors Reported Being Able to Determine if Cloning or Overdocumentation Was Occurring.

The report also found that varying ability of MACs, ZPICs, and RACs to identify cloning and over documentation in both EHRs and paper medical records.  Generally, more contractors were able to identify incidences of overdocumentation versus cloning. OIG reasoned that overdocumentation was likely easier to identify because it is the more evident within the supporting medical record for a single claim. In contrast, examples of cloning are more difficult to identify in a single claim because it may require a single reviewer to examine multiple claims from a single patient or provider for evidence of identical language. Notably, ZPICs were the most successful contractor to report being able to identify these types of schemes. As you recall, ZPICs’ primary objective is to target fraud; as a result, they are more likely to look at multiple claims as compared to other Medicare contractors.

  • CMS Provided Only Limited Guidance to Medicare Contractors on EHR Fraud Vulnerabiltiies. 

Finally, the report looked into the extent that Medicare contractors were receiving guidance from CMS on typical fraud vulnerabilities, such as cloning, overdocumentation, and / or electronic signatures. Unfortunately, the report found that little guidance or training was being disseminated. For example, CMS provided guidance to most MACs and RACs on electronic signatures; however, not one single ZPIC responded that it received this assistance. For the other EHR-related vulnerabilities, the help guidance provided by CMS was insufficient.

VI.     Recommendation Made by OIG in its Report:

Overall, the report recognizes that CMS and its contractors have not changed their program integrity strategies during the growing adoption of EHRs. Contractors are reporting that they are unable to identify cloning or overdocumentation in both forms of medical records. Moreover, few contractors are adopting additional review procedures specifically tailored to EHRs. Finally, little guidance is coming from CMS on how to detect fraud vulnerabilities.  Therefore, OIG made two recommendations. CMS must:

  1. Provide guidance to its contractors on detecting fraud associated with EHRs; and
  2. Direct its contractors to use providers’ audit logs.

OIG also argued that CMS should work with contractors to identify best practices and develop guidance and tools for detecting fraud associated with EHRs, especially as it pertains to EHR documentation and electronic signatures. Moreover, the report stressed how audit log data can be a valuable tool in authenticating a medical record to support a claim.

VII.     CMS’s Response to OIG’s Concerns:

In its response letter to OIG, CMS recognized that it could give better guidance to contractors to prevent EHR-related fraud and abuse. CMS also agreed that audit logs should be used more frequently. However, CMS said that the use of audit logs “may not be appropriate in every circumstance” and would require special training for reviewers.

VIII.     Final Remarks:

This report is just the latest effort by OIG to determine the extent that providers are using EHRs to commit waste, fraud, and abuse in the Medicare program. Every month, we hear reports of physicians, hospitals, and other Medicare providers using EHRs to generate documentation that supports higher coding levels, which thereby inflate Medicare bills. This is fraud.  As the federal government continues to encourage the implementation and use of EHRs, CMS will begin to focus its efforts, as well as its Medicare contractors, on how to prevent fraud, waste, and abuse using this technology. EHR systems may be poorly designed or implemented, which will require you to copy and paste entire sections of a beneficiary’s record or the whole note, rather than just the relevant component.

Ultimately, your ability to avoid the filing of an improper claim rests on your ability to comply with federal and state laws, regulations and rules governing the provision, coding and billing of health care services. Without a doubt, the single most important step you can take in this regard is to develop, implement and adhere to the provisions and guidelines set out in an effective Compliance Plan. Otherwise, your practice may be targeted by CMS and one of its Medicare contractors.

If you have any questions about a Medicare audit or implementing a Compliance Plan for your practice, give us a call. We would be more than happy to assist you in these matters.

[1] CMS, Electronic Health Records. Accessed at http// on Jan. 14, 2014.

Healthcare LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law. Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.

The HIPAA / HITECH Omnibus Final Rule is Here! Is Your Health Care Organization Complying with the Rules?

Omnibus Rule(September 23, 2013):  Effective today, all covered entities and business associates must comply with the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule. Please keep in mind, the Final Omnibus Rule is 138 pages long.

If you have not already read these new requirements, we strongly recommend that all covered entities, business associates and any affected subcontractors carefully review and adhere to these requirements.  Summaries of these modifications may not fully address specific points which apply to your organization.

I.          Overview:

The Final Omnibus Rule contains some of the most significant changes to the HIPAA Privacy and Security rules since their inception.  The new Omnibus Rule also strengthens the ability of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to enforce the rules and levy fines for any violations.  The following article is intended to provide a brief synopsis of this new rule and outline how covered entities (such as your Physician Practice, Home Health Agency or Hospice) need to review their actions to better ensure that they are fully complying with the privacy, security and breach notification requirements which are now required.

II.  HIPAA/HITECH Omnibus Final Rule: 

On January 25, 2013, HHS issued a final rule[1] to modify the HIPAA Privacy, Security, and Enforcement Rules.  This final Omnibus Rule implemented statutory amendments under the Health  Information Technology for Economic  and Clinical Health Act (HITECH) in order to strengthen the  privacy and security protection for individuals’ health information, modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act, modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA), and make other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

More specifically, the final Omnibus Rule is comprised of four individual final rules.  These rules:

1.  Modify the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, as well as certain other modifications that improve the Rules. These modifications:

  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements;
  • Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization;
  • Expand individuals’ rights to receive electronic copies of their health information and restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices (for examples, see Section VI below);
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others; and
  • Adopt additional HITECH Act enhancements to the Enforcement Rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

2.  Adopt changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.

3.  Finalize the Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification rule’s ‘‘harm’’ threshold with a more    objective standard.

4.  Modify the HIPAA Privacy Rule as required by the GINA to prohibit most health plans from using or disclosing genetic information for underwriting purposes.

While the final Omnibus Rule took effect on March 26, 2013, all covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.

III.  New HIPAA Rules Apply to Covered Entities and Business Associates:

Individuals, organizations, and agencies that meet the definition of a “covered entity”[2] under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.

More importantly, if a covered entity engages a “business associate” to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate.  This agreement must specifically state the work the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of PHI.

In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.  Specifically, business associates will be directly liable for:

  • Impermissible uses and disclosures of individual PHI (including using or disclosing more information than is minimally necessary);
  • Failing to comply with the Security Rule;
  • Failing to provide breach notification to the covered entity, or, if a subcontractor, to the business associate above;
  • Failing to provide electronic access as provided in the business associate agreement;
  • Failing to disclose PHI to HHS in response to compliance and enforcement actions; and
  • Failing to provide HITECH accounting, as necessary.

IV.  What is a “Business Associate”?

A “business associate”[3] is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A business associate also includes any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

As discussed above, HIPAA Rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard PHI.  These contracts also serve to clarify and limit, as necessary, the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose PHI only as permitted or required by its business associate contract or as required by law.

Importantly, a business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

V.  Business Associate Agreements Between Covered Entities and Business Associates:

Based on the new rules, all covered entities should check to ensure that an updated business associates agreement between the covered entity and any business associates that they might have been put into place.  It is appears that an updated business associate agreement has already been put into place, check it to ensure that it includes the following provisions:

  1. Establishes the permitted and required uses and disclosures of PHI by any business associates;
  2. Provides that business associates will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  3. Requires that business associates implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
  4. Requires that business associates report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
  5. Requires business associates to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  6. To the extent that a business associate is to carry out a covered entity’s obligation under the Privacy Rule, the agreement must require that the business associate comply with the requirements applicable to the obligation;
  7. Requires that business associates make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  8. At termination of the contract, if feasible, requires that a business associate return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity;
  9. Requires that a business associate ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between a business associate and other business associates (that are essentially subcontractors) must also be subject to these same requirements

If an updated business associate agreement has not been implemented, please take steps to have one completed immediately.  A Sample Business Associate Agreement which incorporates the January 2013 changes has been published on OCR’s website. Furthermore, the rules allow a business associate to continue to operate under existing business associate agreements up and until 09/22/14, under conditions that:

  • Prior to the 01/25/13 publication date, the covered entity and its business associate had an existing written business associate agreement with prior HIPAA provisions; AND
  • The business associate agreement has not been renewed or modified between the 04/26/13 effective date and the 09/23/13 compliance date.

VI.  Notice of Privacy Practices (NPP):

If you have not already done so, it is imperative that you immediately update the “Notice of Privacy Practices” (45 CFR 164.520) being used by your practice or organization. To their credit, OCR recently published several examples of what they consider to be a “clear, accessible notice that. . . patients. . .can understand.”  OCR has published the following three examples that may be used by a covered entity to notify patients of their rights and the organization’s privacy practices.  These examples include:

NPP Booklet – HC Provider

NPP Layered – HC Provider

NPP Full Page – HC Provider

NPP HC Provider – Text Version

VII.       The  HIPAA Security Rule: 

The HIPAA Security Rule[4] requires that covered entities implement “administrative, technical, and physical safeguards” to ensure the confidentiality, integrity, and availability of electronic PHI.  The Rule also requires those entities to protect against anticipated disclosures and threats to the security of information.  “Electronic PHI,” or “ePHI” refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains, or transmits in electronic form.

Under the new final rule, business associates are now directly liable themselves for complying with the Security Rule. Therefore, these organizations should review the Security Rule Guidance Material[5] provided by HHS and implement policies and procedures in much the same manner as a covered entity.

  • Security Risk Assessment

Like covered entities, business associates must assess their security risks. A business associate must perform its own security risk analysis[6] to determine what the organization must do to address our security policies, procedures, and workforce training under HIPAA.  The foundation for this process is compliance and is tailored to our legal practice.  Our size, complexity, capabilities, in addition to the risks and costs to conduct this analysis and take appropriate action, has all been considered.  This has allowed us to meet those standards that are “required” and determine whether an “addressable” standard applies.  For this assessment, covered entities and business associates should broadly inquire into:

  • Designing an appropriate personnel screening process;
  • Identifying specific data that must be backed up and how we can execute that process;
  • Implementing encryption methods for ePHI;
  • Classifying what data must be authenticated in particular situations in order to protect data integrity;
  • Designing written policies, procedures, and required notices; and
  • Developing requisite training tools for these purposes.

Based on this risk assessment, your organization needs to implement certain security standards that can be divided into administrative, physical, and technical safeguards.

  • Administrative Safeguards  

The Omnibus requirements mandate that business associates implement administrative safeguards in compliance with the HIPAA Security Rule. Administrative safeguards[7] include “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”[8] Generally, these are the administrative functions that should be implemented to meet the fundamental security standards.  They focus on workforce training and contingency planning.

Business associates should keep in mind that the most important administrative safeguards are risk analysis and risk management.  Because both of these processes are “required,” a business associate should execute a critical and thorough risk analysis before undertaking subsequent regulatory compliance measures.  A business associate should also implement the following additional “required” administrative safeguards:

  • Sanction policy for employee noncompliance.
  • Tracking security “incidents” and documenting policies and procedures for dealing with incidents. Resulting harm must be mitigated.
  • Appointment of a security officer.
  • Allowing employee access to ePHI only where appropriate, and putting policies in place to prevent unauthorized persons from gaining access.
  • Training employees on security issues, scaled to our organizational size.
  • Implementing contingency plans for emergencies that damage systems with ePHI, including provisions for data backup, a recovery plan and a mode for continuing critical business processes for the protection of the security of ePHI during emergency operation.
  • Ensuring that periodic evaluations of security preparedness are conducted.

Again, these standards and implementation specifications pertain to administrative functions, such as policy and procedures that must be in place for management and execution of security measures, and are just the first set of safeguards that have been implemented.

  • Physical Safeguards  

Physical safeguards[9] incorporate mechanisms, policies, and procedures required to protect electronic systems, as well as equipment and the data contained therein, from threats, environmental hazards, and unauthorized intrusion.  These safeguards include restriction access to ePHI and retaining off-site computer backups.

Covered entities and business associates must ensure that ePHI and the computers which house that private information are protected from unauthorized access.  Covered entities and business associates should also recognize that some of the requirements to be implemented as physical safeguards can be accomplished through the use of electronic security systems.  Possible approaches include, but are not limited to:

  • Establishing a policy for the appropriate use, physical attributes of and security for workstations that access ePHI.
  • Establishing policies dictating the procedures for the addition, disposal, or reuse of hardware or electronic media that contains ePHI.

After successfully implementing these, and other, standards and protections, an organization will be able to protect those covered entities’ ePHI from natural and environmental hazards, as well as unauthorized intrusion.  

  • Technical Safeguards  

Finally, the new Omnibus Rule also requires that business associates implement technical safeguards[10].  Generally, these types of safeguards are the automated processes used to protect data and control access to data.  For example, they include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted.

Covered entities and business associates should review and implement the following “required” technical safeguards (as appropriate):

  • Policies that limit software program access to only those with authorized access. Organizations should also provide their employees with unique log-ins and ensure that automatic log-offs cannot be utilized.  Further, they should implement procedures for obtaining necessary ePHI during an emergency.
  • Maintaining activity logs (or “audit logs”) of all systems that contain ePHI.
  • Policies to protect ePHI from alteration and destruction.
  • Procedures to verify the identity of those seeking access to ePHI.
  • Protection for the transmission of ePHI over a network through technical security policies.
  • While encryption is only an “addressable” standard, a business associate should strongly consider using encryption to encrypt ePHI..

Importantly, each covered entity and business associate must also analyze their administrative, physical, and technical factors so that safeguards can be implemented to protect the integrity of PHI.   

  • Documentation Requirements

A proper risk assessment and all subsequent compliance measures must include proper documentation procedures.  Therefore, a business associate must ensure that all compliance activities be documented accordingly and be retained for six years.  Business associates need to recognize that policies and procedures are amendable as further regulations and policies require.  Therefore, business associates should conduct periodic reviews of its policies, document those review, and take any appropriate actions when changes in the environmental security of ePHI are needed.  

VIII.  Business Associates and the Privacy Rule: 

The HIPAA Privacy Rule restricts covered entities’ use and disclosure of an individual’s PHI.  For example, providers who transmit PHI electronically in a HIPAA Standard Transaction, such as by filing electronic claims or checking eligibility electronically even if they are using a third party such as a billing service or clearinghouse, become a “covered entity”.  They are then bound by HIPAA and its requirements. Under the final Omnibus Rule, certain privacy changes have been enacted that impact business associates.

However, the HITECH Act does not impose all of the Privacy Rule obligations on business associates.  A business associate is subject to direct enforcement of the HIPAA Privacy obligations and penalties in the same manner as a covered entity, but only to the extent required under the HITECH Act – not the HIPAA Privacy Rule itself.

Both covered entities and business associates must ensure that any disclosure of PHI is kept to limited data sets or minimum amounts of information as necessary.  Furthermore, those covered entities that a company has a business associate agreement with must honor any and all requests by an individual to restrict disclosure of PHI to a Health Plan if the individual pays for the associated service out-of-pocket in full.  The business associate must also acknowledge that the sale of PHI is prohibited unless authorized by the individual, and certain marketing communications require additional authorizations. 

IX.  The HIPAA Breach Notification Rule: 

The Breach Notification Rule requires covered physician practices to notify affected individuals, the Secretary of HHS and, in some cases, the media when they discover a breach of a patient’s unsecured PHI.

Business associates must now comply with breach notifications procedures under the new HIPAA Omnibus Rule.  If a breach of unsecured PHI occurs, a business associate must notify the covered entity following the discovery of the breach.  Discovery of a breach is when the business associate “knew or should have known” of the incident.

Furthermore, any business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, a business associate should also provide each covered entity with the identification of each individual affected by the breach, as well as any information required to be provided by the covered entity in its notification to the affected individual(s).

Under the new Omnibus rules, breaches are now presumed reportable unless, after an organization has completed a risk analysis, it is determined that there is a “low probability of PHI compromise.” To conduct this analysis, covered entities and business associates must consider the following four factors:

  1. The nature and extent of the PHI involved – an organization should consider issues such as the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified;
  2. The person who obtained the unauthorized access and whether that person has an independent obligation under HIPAA to protect the confidentiality of the information;
  3. Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and
  4. The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.

Covered entities and business associates must keep in mind that this rebuttable presumption of breach and four-factor assessment of the “risk of PHI compromise” replaces HIPAA’s previous, more subjective “significant risk of financial, reputational or other harm” safe harbor analysis for establishing a breach. The organization also understands that the new rules further clarify that there is no need to have an independent entity conduct the risk assessment and indeed, no risk assessment need be conducted at all if the breach notification is made.  Nevertheless, a business associate must undertake an appropriate review and steps to mitigate the harm and reduce the likelihood of future breaches in any case as necessary.

Finally, both covered entities and business associates must implement “Breach Notification Policies and Procedures,” workforce training, and associated documentation procedures on how to document and handle breach incidents.

X.  Government Audits:

Under the new rule, HHS will be performing audits to ensure that covered entities and business associates are fully complying with the HIPAA Privacy, Security and Breach Notification requirements. Notably, HHS-OCR, the federal agency within HHS with oversight over HIPAA privacy, security and breach notification requirements, has established a comprehensive audit protocol that should be considered during reviews and updates to their HIPAA compliance plans. The OCR audit protocol contains 170 audit areas (79 Security Rule, 10 Breach Notification Rule and 80 Privacy Rule provisions) covering all of the following:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures;
  • Security Rule requirements for administrative, physical, and technical safeguards; and
  • Breach Notification Rule requirements.

The safeguards that covered entities and business associates ultimately implement should withstand the scrutiny of an HHS-OCR audit, if such an audit is ever conducted.[11]

XI.  Penalties: 

It is imperative that covered entities, business associates and their staffs understand that a failure to comply with HIPAA can result in significant civil and criminal penalties.

  • Civil Penalties

The HITECH Act established a tiered civil penalty structure for HIPAA violations. The Secretary HHS still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.  Nevertheless, the Secretary is still prohibited from imposing civil monetary penalties (CMPs) (except in cases of willful neglect) if the violation is corrected within 30 days (a time period that may be extended).  Furthermore, HHS may waive a CMP in whole or in part in some situations.  Moreover, HHS’s authority to impose a civil money penalty is prohibited if a criminal penalty has been imposed.


HIPAA Violation



Penalty Range


Annual Maximum

Individual   did not know (and by exercising reasonable diligence would not have known)   that he/she violated HIPAA.

 $100 – $50,000 per   violation

 $1.5 million

Individual   “knew, or by exercising reasonable diligence would have known” of the   violation, but did not act with willful neglect.

 $1,000 – $50,000 per   violation

 $1.5 million

HIPAA   violation due to willful neglect but violation is corrected within the   required time period.

 $10,000 – $50,000 per violation

 $1.5 million

HIPAA   violation is due to willful neglect and is not corrected.

 $50,000 per violation

 $1.5 million

Under the new HIPAA Omnibus Rule, HHS must conduct a formal investigation and impose civil monetary penalties in cases involving willful neglect.  HSS may also provide PHI to other government agencies for enforcement activities. The assessment of penalties must be based on five principal factors:

  1. The nature and extent of the violation, including the number of individuals affected,
  2. The nature and extent of the harm resulting from the violation, including reputational harm,
  3. The history and extent of prior compliance,
  4. The financial condition of the covered entity or business associate, and
  5. Such other matters as justice may require.

The number of violations may be based on the number of individuals affected or by the number of days of non-compliance. Finally the HIPAA Omnibus Rule clarifies that the 30-day cure period begins when the individual knew or should have known of the violation.

  • Criminal Penalties 

Both covered entities and business associates must recognize that criminal penalties under the new Omnibus Rule are quite severe.  Covered entities and specified individuals, as outlined below, whom “knowingly” obtain or disclose individual PHI in violation of the HIPAA requirements face a fine of up to $50,000, in addition to imprisonment up to one year. Furthermore, offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.

  • Covered Entity and Specified Individuals

The DOJ has determined that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

  • Knowingly

The DOJ interprets the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense.  Specific knowledge of an action being in violation of the HIPAA statute is not required.

  • Exclusion

HHS has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small.[12]

  • Enforcing Agencies

The HHS OCR enforces the privacy and security rules, while the Centers for Medicare & Medicaid Services (CMS) enforces the transaction and code set standards.

  • No Private Cause of Action

While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (meaning an individual cannot take legal action against a covered entity for a HIPAA violation based on the HIPAA law). State law, however, may provide other theories of liability.

XII.  Conclusion: 

The new HIPAA Omnibus Rule includes a set of final regulations modifying the HIPAA Privacy, Security, and Enforcement Rules to implement various provisions of the HITECH Act. These rules are quite complex and mandate numerous new policies, procedures, and safeguards that both covered entities and business associates must implement in order to safeguard individuals’ PHI.  Both covered entities and business associates must thoroughly analyze the risks involved with maintaining and protecting the PHI they receive from patients (in the case of covered entities) and from covered entities (in the case of a business associate), so that they can fully comply with applicable statutory and regulatory requirements.

Healthcare LawyerRobert W. Liles is Managing Partner at the health law firm of Liles Parker PLLC.  Our firm represents physicians, home health agencies, hospices, skilled nursing facilities and other health care providers around the country in connection with HIPAA, compliance and a full range of other health care transactional projects.  Should you have a question, please feel free to give us a call.  For a complimentary initial consultation, please call Robert at: 1 (800) 475-1906.



[2] See 45 CFR 160.103 for the definition of a “covered entity”.

[3] See Id.

[4] See 45 CFR 160 and 164.


[6] A business associate may utilize NIST SP 800-30 as an initial starting point.

[7] See 45 CFR § 164.308 for more detailed information on administrative safeguards.

[8] 45 CFR § 164.304

[9] See 45 CFR § 164.310 for more detailed information on physical safeguards.

[10] See 45 CFR § 164.312 for more detailed information on technical safeguards.

[11] HHS OCR’s HIPAA Audit Program Protocol is available at 

[12] 68 FR 48805

Texas Medical Privacy Act Takes Effect

Texas Medical Privacy Act(September 11, 2012):  They say that “Everything is Bigger in Texas,” and its law concerning medical privacy is no exception. The Texas Legislature recently enacted the Texas Medical Privacy Act (TMPA)1, also known as the Texas HIPAA law. The new law substantially increases the compliance burden on medical and service providers, suppliers, business associates, third party payers and just about everyone who handles, transmits or stores Protected Health Information (PHI) or Electronic Protected Health Information (EPHI) in any way. Enforcing the new law is the task of the Texas Health and Human Services Commission (HHSC). The penalties are substantial. The range of civil fines and penalties reflect similar provisions of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Texas Civil Monetary Penalties (CMPs) include:

  • $5,000 for each negligent violation that occurs within 1 year.
  • $25,000 for each knowing or intentional violation that occurs within 1 year.
  • $250,000 for each knowing or intentional violation by a covered entity where PHI was used for financial gain.
  • Up to $1,500,000 if the frequency of violations establishes a pattern or practice.
  • I.  Who is a “Covered Entity” Under the New Texas Medical Privacy Act?

From a practical point of view, nearly everyone who touches PHI/EPHI is now included. Under Sec. 181.001(b)(2) of the Texas Health & Safety Code, a “Covered Entity” means any person who:

  1. for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.

The term includes business associates, health care payors, governments, information or computer management entities, schools, health researchers, health care facilities, clinics, health care providers, or any person who maintains an Internet site potentially conveying PHI;

  1. comes into possession of protected health information;
  2. obtains or stores protected health information under this chapter; or
  3. is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

II.  What Does a Texas Provider Need to Do to Comply With the Texas Medical Practice Act:

The next two months are critical for providers and the following actions must be done immediately before the 60-day grace period expires on October 31, 2012. Action taken now can help limit your potential liability exposure under Texas law.

  1. Employee Training:

  • Train all employees on HIPAA and the Texas Medical Privacy Act within the next 60 days – before 10/31/12. Training must be customized according to the employee’s access and handling of protected health information. Retrain employees every six months, if possible, but no later than year.
  • Train new hires within their first 30 days of employment. Training must be customized according to the employee’s access and handling of protected health information.
  1. Internal Privacy Policies and Procedures – Patient Access to PHI / EPHI:

  • You must provide patients with requested electronic health information (EPHI) records within 15 days, instead of 30 days.

  1. Internal Privacy Policies and Procedures – Encryption and Transmission

  • Transmission and receipt of EPHI through cyberspace requires encryption every single time. If you do not have an effective encryption program, consider it an absolute necessity and get one. Train your employees on how to use it and make encryption of any transmission standard office policy with penalties for failure.
  • Portable devices such as thumb drives can now be purchased with combination locks for security. Thumb drives are not recommended due to their ease of loss and the potential for leaks and breaches. However, if they must be used, then control their use by allowing only approved devices purchased and numbered by the company and assigning them to the party responsible. Devices should be turned in after use with a log date and signature.
  • Consider purchasing cyber-liability insurance for your company or practice.
  1. Business Associate Agreements (BAA)

  • The business associate should notify you immediately of any breach of PHI and provide you with contemporaneous written notification of the facts concerning the breach;
  • Identify or assign a person to notify any patient affected by the breach;
  • Certify that the business associate complies with Texas Health and Safety Code § 181.100 regarding employee training on federal HIPAA and the Texas Medical Privacy Act requirements;
  • Provide certification and supporting documentation of the covered entity’s annual employee training and security analysis, (for example: all employees have been screened on government exclusion lists – GSA, EPLS, State, and have had criminal background checks to comply with DEA regulations).

III.  Final Remarks:

The Texas Legislature has made a strong effort to get ahead of the electronic distribution curve and protect EPHI. The short time frame is essential for enabling compliance and stopping potential problems before they occur. By complying with the more stringent Texas law, providers should be able to avoid many of the pitfalls under the federal HIPAA law. By the same token, failure to train and abide by both federal and state standards can lead to double liability for breaches, leaks and compromised EPHI. Stay ahead of the curve and make the changes necessary to protect your practice or business now.

Robert LilesHealthcare Lawyer counsels providers on HIPAA and TMPA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1-800-475-1906.

1 Texas Medical Privacy Act, Chapter 181 – Medical Records Privacy, eff. Sept. 1, 2012.

What Should I Do If I Discover A Breach of PHI?

(September 6, 2012):  What should you do if you discover a breach of PHI (Protected Health Information). The short answer is: it all depends on who you are. With the rise in concern over and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), patients, families, practitioners, and health care executives need to know how to handle protected health information (PHI).  PHI consists of information that falls into any 1 of 18 established categories which can be used to identify an individual and/or their medical condition or diagnosis. HIPAA is designed to protect patients from the wrongful use or disclosure of PHI, as well as security breaches affecting PHI.  In the past few years, security breaches of PHI have hit epidemic proportions; doctors, nurses, billers, and hospital administrative/executive staff have reported loss or theft of hundreds of laptops, flash drives, CDs, and other portable electronic devices. And as you know, these devices can hold hundreds and even thousands of medical records and other health information containing PHI. So when even a single computer or flash drive is stolen and represents a breach of PHI, the effect of this incident can be felt by every stakeholder and could result in tremendous penalties levied by the Federal government. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) and its private contractors have recently doled out millions of dollars in fines for HIPAA violations. That’s why it is so important to know how to handle a breach of PHI.

I.  Patients and Their Families:

If you are a patient or a family member of a patient who has concerns over the security of your PHI, or if you know of a specific breach of PHI, this is a serious concern. PHI falling into the wrong hands can and does lead to identity theft and Medicare fraud – those who steal PHI then either sell it to identity thieves or use it for their own gain. This can affect a patient’s bank accounts, credit rating, or reputation. If you know of a security breach of PHI, you should report this incident to OCR. OCR’s website has a section to report complaints, and once OCR receives a complaint, it reviews it and considers opening an investigation into the allegations.

I.  Health Care Providers and Suppliers:

If you are a provider, a breach of PHI is a whole different story. First, you need to determine who is the “covered entity” involved in the breach. Nearly all providers and health care practices are covered entities at this point, but it is important to determine whether it is an individual doctor or nurse practitioner or rather hospital or clinic that is the covered entity. Second, we recommend that you contact your health law counsel to advise you on proper disclosure. There are different reporting obligations for a covered entity depending on the egregiousness of the breach and the number of individuals affected by the breach. For instance, no matter how few people are affected by a breach of PHI, a provider must notify them of the breach. But when the numbers start to get higher, the provider must disclose this even further. For a breach involved 500 or more patients, for instance, the provider must notify the Secretary, HHS, as well as local news media, and keep a notice of the breach up on its website for a period of time. As you can imagine, a breach of PHI of this magnitude can really hurt a provider’s good reputation. And it is important to keep in mind the 4 tiered penalty structure under HIPAA: violations which could not have been reasonably prevented will incur significantly less fines than those which could have prevented and were ignored.

Of course, you can get yourself and your practice into one of the lower tiers by establishing and maintaining an effective Compliance Plan. An effective Compliance Plan is designed to keep you and your staff honest and on the same page about your compliance obligations, and will serve as a roadmap for your organization in how it conducts its business. Compliance Plans should focus not just on HIPAA (though that is a large part), but also on OSHA, Stark, Anti-Kickback, employee relations, codes of conduct, and billing and coding functions. We recommend that you begin establishing your Compliance Plan through a gap analysis: identifying the standards you must meet, assessing your organization’s compliance with those standards, and determining and correcting any gaps found. While this may not eliminate the risk of a breach of PHI, it certainly helps to reduce that chance and also shows the Federal government you are trying to do the right thing.

Robert LilesHealthcare Lawyer counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs GAP analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.

Overseas Outsourced Billing and Coding – Compliance Risks

(August 16, 2012):  Thinking of sending your medical coding and billing functions out of the country? You better think twice. While overseas outsourced billing is growing in popularity for medical office functions, this practice represents a unique and growing set of problems for both physician practices and 3rd party billers. And the news is just getting worse.

I.  HIPAA and HITECH Provisions:

As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patients’ rights to privacy, and requires that “covered entities” properly secure and safeguard protected health information (PHI). While HIPAA has long represented an administrative headache for many small and medium providers, it has only been more complicated by the rise of electronic data processing and transmission. In 2009, Congress passed the HITECH Act as part of the American Recovery and Reinvestment Act (ARRA). HITECH governs the use and disclosure of e-PHI and related computer systems, and significantly amends portions of HIPAA. For instance, HITECH calls for HIPAA audits, which are currently being conducted around the country. It also created an enhanced penalty structure by which the Office for Civil Rights (OCR) can fine entities up to 1.5 million dollars per year for wrongful use or disclosure and/or breaches of PHI. But what do these laws have to do with outsourced billing?

Plain and simple, a provider cannot relieve themselves of their obligations under HIPAA or HITECH by sending many of their administrative functions offsite. Instead, it’s just the opposite – providers are responsible not only for their practice, but also the acts of their business associates and their respective subcontractors. This is a significant wrinkle in the use of overseas contractors. While there are many benefits, including cost and efficiency (i.e. sending records at the close of business and getting everything back when business starts the next day), these incentives are overshadowed by the problems presented by HIPAA.

II. Compliance Concerns with Outsourced Billing:

First of all, you have no guarantees that a coding and billing business overseas is HIPAA compliant or even understands the law at all. Is the outside entity taking proactive steps to establish administrative, technical, and physical safeguards for your patients’ PHI? Even if they say they are HIPAA compliant, how can you verify that information?  To counter this, many outsourced billing companies, such as those in India or Pakistan, may argue that they will sign a contract indemnifying you for any HIPAA breaches and the resultant penalties. But if something goes wrong (as it inevitably does), obtaining a judgment against the outside entity is next to impossible, takes a substantial amount of time, and costs a lot of money. We had previously reported that the backlog for having a case heard in India was nearly 20 years. But recent estimates by the National Bar Association of India put that figure closer to “350 to 400 years.” That is, if you were to sue an Indian billing company today, you might not go before a judge until AD 2362 – and that’s a long time for your great-grandchildren to wait. Not to mention that suing the outsourced third-party biller for contribution (i.e. the portion of your penalties for which they are reasonably responsible) is extremely difficult and complex.

On top of this, employees of foreign companies have recently been extorting American providers over the PHI in their medical records. In one instance, an employee of a billing company in Pakistan had enough. She didn’t think she was being paid enough and contacted the hospital whose records she was currently working on. She demanded a significant sum of money from the hospital or she would release the medical records on the Internet and anonymously contact United States authorities. Essentially holding the records and the PHI they contained hostage, the worked managed to extort payment from the hospital. And again, attempting to report her to the local authorities or sue her in a court would be a difficult and probably unsuccessful endeavor. When employees from outsourced billing companies have access to this information and bad intentions, they have many providers by the proverbial “short hairs.”

III. Conclusion:

This is why we recommend that healthcare providers “buy American.” The protections of United States law, and the relative ease with which you can resolve any conflicts between your practice and a billing company, more than make up for the additional cost. You should consider retaining an experienced, local 3rd party biller for assistance with medical billing. For more information on coders and billers in your area, we recommend contacting the American Medical Billing Association.

Healthcare LawyerRobert W. Liles counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.

Healthcare Cloud Computing – Compliance Risks

Healthcare Cloud Computing(August 14, 2012):  Cloud computing is in the process of revolutionizing the way that individuals and businesses store, receive, and use their data. You may have heard about it through companies such as Google, Apple, and Microsoft, all advertising sophisticated cloud computing services. But what are the risks your organization faces with respect to healthcare cloud computing?

I.  What is Healthcare Cloud Computing?

Essentially, “healthcare cloud computing” is the process of using various offsite computer and server resources that are delivered to users remotely through the internet. You use a program on your computer to access data, software, and powerful processing resources at a remote location. Because nearly all of the data storage and processing is done remotely, there is less of a need for high-powered, sophisticated computers at a user’s location, meaning individuals and small businesses can access computer tools that had previously only been reserved for the largest of corporations. In fact, a recent survey by Microsoft found that 39% of small business owners were beginning to engage in some sort of cloud-based computing.

II. Risks of Healthcare Cloud Computing:

Reliance on healthcare cloud computing can expose a provider and his / her practice to a variety of very serious risks.  Chief among these risks is the potential for a substantial privacy breach. Because data and data systems are maintained offsite, a provider, biller, or facility cannot ensure that the data contained on these remote servers is properly secure. As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the use of Protected Health Information (PHI) through its Security and Privacy Rules. These laws, administered by the Office for Civil Rights (OCR), protect the privacy of individual patients by setting out rules and repercussions concerning the wrongful use or disclosure of PHI. Under HIPAA, and the HITECT Act of 2009, there are 4 tiers of potential penalties a “covered entity” might face for wrongful use or disclosure or a security breach. Notably, nearly every healthcare provider is, at this point, a covered entity.

Despite an awareness that both known and emerging risks are present, many health care providers appear to have resigned themselves to the fact that the unparalleled convenience of healthcare cloud computing more than makes up for the potential dangers faced when using this medium.   Notably,  many cloud computing services advertise that they are HIPAA compliant or have undergone an SAS 70 Type II audit. Be careful – these audits can greatly vary in terms of their adequacy and sophistication, and may continually fail to meet the standards of HIPAA and HITECH. On top of this, as a health care provider, you are not in a position to ensure that the cloud computing company will continue to meet these standards.  In any event, should a breach occur – you will still be on the proverbial “hook” with OCR and its auditing contractors for any breaches that might occur.  Your decision to store PHI on a cloud computing server will not alleviate you of your obligation to safeguard patient medical records and personal information.  You are ultimately responsible for PHI entrusted to you by your patients, not the cloud service provider.   There are a number of technical security concerns that you should understand:

  •  First, how is data stored at the 3rd party site? Is the data of all clients thrown together on one server or on one hard drive, or does each client have a dedicated server? In addition, what if a server has a technical failure? If such an event occurs (as it inevitably will), the 3rd party vendor needs to completely destroy any PHI on their servers and have an available backup to ensure that the data still exists in some form. It is difficult for both you and the 3rd party vendor to guarantee this.

  • Second, transferring data to and from your “cloud” must be done through a secure channel (that is, “https://”). You need to specifically inquire with a cloud vendor whether a dedicated, secure connection can be established so that the “highway” through which your data passes cannot be accessed by others.

  • Third, the interface your organization uses to interact with the remote cloud server is at risk for security breaches, and you should ensure that the 3rd party host has developed properly secured interfaces. Again, this can be hard to do.

  • Finally, and probably most importantly, what about the employees of the remote cloud service? They generally have access to a substantial amount of sensitive data, and you have no ability to train, discipline, or terminate those individuals should wrongdoing occur. As you know, next to the theft of laptops and other mobile electronic devices, curious employees accessing unauthorized PHI is the most common type of breach under HIPAA. Couple that with a 3rd party vendor whose employees over whom you have no control, and it could mean substantial trouble if an individual employee wants to start exploring your patients’ medical records.

III. Conclusion:

As a result of these serious concerns, we strongly recommend that providers continue to use an internal server stored onsite. While it can be more expensive, it’s the only true way to ensure that your patient’s PHI is protected in accordance with HIPAA’s Privacy and Security Rules. In addition, you should consider conducting an internal HIPAA audit of your physical security, administrative safeguards, and electronic transmissions. Importantly, this audit should be done through counsel, so that any concerns may be reasonable covered by the attorney-client privilege.

Robert LilesHealthcare Lawyer counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at: 1 (800) 475-1906.

Social Media and Healthcare: A Little More Complicated

(June 20, 2012): A few weeks ago, you may have heard our Firm present a webinar on “Healthcare Providers and Social Media: Risks to be Considered.”  Our article here summarizes some of the more important points of that presentation. As an update, we are detailing some new issues to be taken into account by providers when incorporating social media risk issues into your Compliance Plan. As we will discuss, different governmental regulatory bodies have recently released conflicting guidance that could make your social media compliance policy very difficult to implement and enforce.

I.  Social Media and Healthcare Recent Developments:

While each of you are well aware of the many privacy provisions set out under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), along with its obligations to secure and protect certain types of patient health information, this ongoing obligation has recently become significantly more complicated by the rise in social media use by patients, employees, competitors and referral sources. In fact, the intersection of social media and healthcare has perplexed many providers in terms of “best practices” for HIPAA compliance.

To make matters worse, other non-HHS governmental regulatory bodies are issuing guidance which (at first glance) appears to stand at odds with a number of HIPAA’s accepted practices, leaving many healthcare providers caught in the middle. For instance, the National Labor Relations Board (NLRB), under the authority of the National Labor Relations Act (NLRA) of 1935, recently issued guidance regarding what social media policies implemented and enforced by employers are lawful. Prior to this guidance, the simple answer for healthcare providers regarding social media was simply to limit access during work and inform employees that any confidential information regarding the company, its business, its patients, or the care it provided, could not be posted online.  In this way, the healthcare provider hoped to protect both its patients and the company itself from any wrongful or inadvertent breaches of protected information. Now, however, a healthcare provider’s Compliance Plan and policies and procedures must be adjusted to account for concerns raised by the NLRB.  As recent case holdings have held, employers are prohibited from restricting an employee’s comments regarding terms and conditions of employment.  Unfortunately, there have been cases where such disclosures were alleged to have ultimately resulted in the breach of a patient’s privacy. Keep in mind, there are 18 elements of Protected Health Information (PHI) and the 18th element is a catch-all category which basically covers any information that might disclose any individual’s identity.  As a result of the NLRB’s ruling, healthcare providers will need to take care when drafting their social media policy to better ensure that it hits that “sweet spot” in between limiting usage of social media for HIPAA and allowing usage of social media for NLRA purposes.

This is a delicate balance, and providers would be well cautioned to review their current policies for adherence to labor and employment issues, in addition to the regular compliance risks normally facing healthcare entities. The last thing you want is to be stuck with disgruntled employees who file a complaint with the NLRB.

II.  What Types of Policies Should I Avoid?

The relevant law regarding this issue is contained in Sections 7 and 8(a)(1) of the NLRA, which state:

Sec. 7 – Rights of Employees Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, and shall also have the right to refrain from any or all such activities except to the extent that such right may be affected by an agreement requiring membership in a labor organization as a condition of employment as authorized in section 8(a)(3).

Sec. 8. – Unfair Labor Practices – (a) It shall be an unfair labor practice for an employer –

(1) to interfere with, restrain, or coerce employees in the exercise of the rights guaranteed in section 7 . . .

There are some takeaways from the NLRB guidance, however. Specifically, it is important to have a policy which does not infringe upon or “chill” the employee’s right to discuss their terms and conditions of employment both inside your company and with third-parties (i.e. their family, friends, or the NLRB). To do this, social media policies must not be overbroad or unduly restrictive, and should have limiting language and specific examples which put any social media restrictions in context. For instance, you might caution employees about the effects of HIPAA on social media usage, and the risks to an employee both personally and professionally for unauthorized disclosure of protected health information. As well, you might describe prior examples of social media usage that resulted in a HIPAA violation, so that employees would not reasonably think that the policy is intended to restrict their ability to discuss their terms and conditions of employment.Initially, the idea that an overly-restrictive social media policy would have anything to do with employees organizing  or collectively bargaining might be far-fetched or tangential. But think about the impact of social media tools in other types of protests around the world. For instance, in the “Arab Spring,” students and young people used social media tools to coordinate protests, recruit volunteers, and make their ideas known far and wide. While on the other side of the globe, this is exactly the same type of activity that protesters and picketers might utilize in the United States. And like it or not, that is the type of activity the NLRA and NLRB is designed to protect.

Admittedly, this has muddied the waters even further. Restrictions on what you can and can’t do as a healthcare provider are becoming more complex every day, and that is why it is important to have an effective compliance plan in your practice. It’s also important to seek advice regarding these issues from a qualified healthcare attorney who understands both these confusing questions and your business.  When in doubt, get assistance from your qualified healthcare counsel.

Healthcare Lawyer

Robert W. Liles is the managing member of Liles Parker PLLC, in our Washington, D.C. office. Robert  provides representation of healthcare providers in Medicare and Medicaid audits and appeals, trains healthcare professionals on compliance issues, and drafts and implements Compliance Plans for healthcare providers. For a complimentary consultation regarding your case, call Robert today at: 1 (800) 475-1906.

HIPAA Audit Protocols are Here. Are Your Privacy Practices Fully Compliant?

HIPAA Audit Protocols Have Been Announced.(December 28, 2011):  The Office of Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS), is the central organization responsible for enforcing compliance with the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  As OCR’s website reflects, the agency:

“. . [I]nvestigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws.”

I.  Development of HIPAA Audit Protocols:

After witnessing the effectiveness of Medicare contractors in identifying and recovering improper payments, Congress chose to include a similar compliance measure for HIPAA privacy as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009. Under HITECH, HHS and OCR were mandated to create HIPAA audit protocols designed to help ensure that covered entities and their business associates were meeting HIPAA Security and Privacy Rule requirements.

In response, OCR contracted with a large nationally-recognized government contractor last year to develop and assess several HIPAA audit protocols and auditing methodologies for possible implementation. While that assessment was reportedly completed in August 2010, neither the contractor’s report nor the specific method chosen to conduct the upcoming audits has been publicly disclosed.

II.  Timeframe of Initial HIPAA Audits:

In July and August 2011, OCR and the contractor worked to develop their initial HIPAA audit protocols and the standards they would assess provider compliance against. A national accounting firm was selected to conduct these HIPAA audits in September, 2011. Initially, they are expected to only examine a few providers in order to test the HIPAA audit protocols and standards which have been developed. Once the accounting contractor documents its initial observations, OCR will work with the contractors to modify the HIPAA audit protocols, as necessary.  This is expected to occur during the first quarter of 2012. Starting in May 2012, the remaining initial HIPAA audits are anticipated to be conducted.

Importantly, neither OCR nor its contractors have indicated that there are any limits in terms of the size and / or types of providers to be audited.  Physicians, practice groups, home health agencies and other small to mid-sized providers should not expect audits to solely be conducted on hospitals and other large institutional providers. At this time, all providers are eligible to be subject to audit. Furthermore, you can expect that once the HIPAA audit demonstration project is completed, Congress will more than likely make it permanent and expand the scope of the audit program.

III.  Recommendations for Effective HIPAA Compliance:

If you have not already done so, now is the time to ensure that your practice remains fully compliant with HIPAA and HITECH requirements. Auditors will primarily be looking for compliance with the HIPAA Privacy and Security Rules.  You should also expect them to examine the security of your electronic transmissions and physical security safeguards.  Additional areas of inquiry are likely to include whether business associate relationships are being properly handled and whether or not providers are fully documenting each person who accesses a medical record so that patients may be given an accurate accounting of such information.

All providers, regardless of size, should have an effective HIPAA privacy policy as part of their overall Compliance Program.  As with other compliance measures, it should be specifically tailored to address the needs of your organization, along with any unique risks faced by your practice.  A “sample” policy downloaded from the Internet, unfortunately, will not suffice. When developing a HIPAA privacy policy, be sure to keep in mind the four “scalability” factors set out in the Code of Federal Regulations in analyzing a provider’s compliance with the Security Rule:

  • The size, complexity, and capabilities of the covered entity;
  • The covered entity’s technical infrastructure, hardware, and software security capabilities;
  • The cost of security measures; and
  • The probability and criticality of potential risks to electronic protected health information. 45 CFR 164.306(b)(2).

While small providers may desire to only implement the “basic” requirements, they must be careful to ensure that each of the Privacy Rule’s provisions are fully met.  All providers, regardless of size, must utilize reasonable safeguards to protect paper, electronic and oral transmissions of protected health information.

Liles Parker attorneys have extensive experience in compliance matters, including HIPAA privacy requirements. Our team can assist your practice with GAP Analyses, mock audits and other reviews designed to help you better comply with applicable statutory and regulatory requirements. For a free consultation, call us today at 1 (800) 475-1906.

Next Page »