If an organization is involved in healthcare, whether as a provider, facility, consultant, vendor or in almost any other capacity, it is highly likely that HIPAA applies to internal operations and relationships with other parties. As should be well-known, when a relationship is established with one party providing services for or on behalf of a covered entity (this means a healthcare provider, health plan, or healthcare clearinghouse), then the party providing the service is a business associate. Once a party is a business associate, then a business associate agreement (BAA) is needed. In fact, the BAA is not just needed, but mandatory and must be in place before any protected health information is shared. As a quick refresher, a business associate, as noted above, is any party that...

Compliance with HIPAA and the attendant privacy and security requirements is a frequent topic of discussion. Discussions around compliance are driven by the daily reporting of breaches and the probably more than daily issues faced by patients, clinicians and others when HIPAA is misinterpreted. In that face of all of these issues, there are not many options to turn to in order to obtain redress. Unless state law offers some alternative, HIPAA permits filing a complaint with an organization’s privacy officer, the Office for Civil Rights (OCR), or the applicable attorney general. With those options, complaints can then feel as though they disappear into a black hole. Complaints are not just dismissed though. Many thousands result in some form of action, most often by OCR. The typical...

Many HIPAA covered entities (CEs) and business associates (BAs) may not be meeting the regulatory mandate as defined in §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. This implementation specification requires that healthcare delivery organizations (HDOs) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” This requires what I’ll call an Office for Civil Rights (OCR)-grade risk analysis that is clearly scoped and defined under the title “Guidance on Risk Analysis Requirements under the HIPAA Security Rule.” There are several factors contributing to decisions not to conduct an OCR-grade risk analysis...

With the holidays quickly receding, there was some time for reflection. When given that time (and honestly spurred to some degree by the HIPAA request for information), different issues about HIPAA wandered through my mind. With so many issues to ponder, and taking a page Boston Globe sports columnist Dan Shaughnessy and his picked up pieces columns, here are various musings about HIPAA: Why is it assumed that HIPAA and the goals of value-based care cannot co-exist with HIPAA as currently in place? The permissible uses and disclosures under treatment, payment and health care operations are quite extensive. In fact, in beginning to work on comments for submission to Office for Civil Rights (OCR) in response to the request for information, population health style concepts are already...

After a slow start to the year in terms of HIPAA settlement, the Office for Civil Rights (OCR) is trying to finish the year with a bang. Since September 20, 2018, OCR has announced four different HIPAA settlements. The nature of the conduct underlying each settlement has varied widely. As such, it remains difficult to determine what facts or circumstances will most interest OCR in pursuing an issue for the imposition of a penalty. The most recent settlement involving Advanced Care Hospitalists (ACH) was announced on December 4, 2018. ACH incurred a fine of $500,000 for arguably pervasive HIPAA issues. For background, the settlement indicated that ACH’s problems began when a hospital notified ACH that some of its PHI was freely accessible on a third party billing company’s website....

Every day I field questions about HIPAA compliant e-mail, and many days I see or hear something that leads healthcare organizations and their business associates in the wrong direction. These Myths and Facts can help you make the right e-mail decisions. I have included links to give you more details and so you can see the official information yourself. MYTH – All e-mail systems are HIPAA compliant. FACT— FALSE. Free web mail services like Gmail, Yahoo! Mail, Hotmail, and those provided by an Internet Service Provider are not secure and no electronic Protected Health Information (ePHI) should be sent through these systems, either in messages or attachments. This can be confusing, because mail providers offer both free and paid services. Google, for example, offers free Gmail, which is not...