Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

HIPAA Compliance Update

Blog Post

HIPAA compliance has been a part of the regulatory landscape of healthcare since the privacy rules became effective in 2003. Since that time, most providers have taken steps to develop their compliance plans, including distributing notices of privacy practices, obtaining authorizations for release of information as needed, and obtaining business associate agreements from third parties. Since the initial rules went into effect, providers needed to update and revise their policies, notices and other forms, to accommodate the changes included in the HITECH amendments and the related changes in the securities standards.

Enforcement. 

The Federal Office of Civil Rights is assigned the primary enforcement responsibility for enforcing HIPAA violations. As of September 30, 2015, the HHS reports that it had received over 120,000 complaints of which 90% have been resolved. HHS also reports that it had collected over $22.8 million dollars in fines and sanctions from those violations. While not statistically reported in the September 30th summary, there have been over a dozen criminal prosecutions for various HIPAA violations.

Because the statute and regulations have been in effect for over a decade, some practices may not pay as much attention to HIPAA compliance as they should.

Change in Enforcement Emphasis.

In the early years of HIPAA, the position of the government was that it would work with practices with the goal of achieving compliance rather than focus on more punitive measures or sanctions.  That approach started to change with the adoption of the HITECH amendments where the size of penalties increased dramatically.  Currently, the statute provides that a HIPAA sanction for the lowest tiered violation is $100 per violation with a maximum of $25,000.  A second tiered violation has a minimum sanction of $1,000 with a maximum of $100,000.  The third tier has a minimum sanction of $10,000 with a maximum sanction of $250,000, and a maximum sanction of $50,000 per violation, with a maximum of $1,500,000 in addition to other penalties which may include mandatory compliance plans and criminal penalties.

As part of its 2015 action plan, HHS has reported that it intends to increase the level of HIPAA enforcement.  Most importantly, HHS reports that rather than simply responding to complaints, HHS will take a more aggressive position in conducting HIPAA audits of providers, whether or not a specific complaint has been asserted against that provider.  As in other settings where the government has announced a plan for health care related audits, we anticipate that larger providers will initially be targeting for HIPAA audits, but there will also be random audits of all types of health providers.  If HHS were to detect a pattern of violations in a particular practice area, we would anticipate a more aggressive audit strategy to follow.

Other Enforcement Authority.

Under the HITECH amendments, in addition to enforcement actions by the federal government, the statute specifically authorizes that the Attorney General of each state has the statutory authority to pursue civil actions for violations of the statute.  We expect this to increase particularly where public reports of breaches occur.  The states can recover penalties to be paid to the state and may include funds for patients.

Direct Patient Claims.

Occasionally, a patient will assert that they have a HIPAA claim and threaten to sue a provider for a claimed HIPAA violation.  A patient is not permitted to file a lawsuit directly against a provider for a HIPAA violation.  Because the statute specifically provides that enforcement authority for HIPAA is assigned to the federal government (or the state’s Attorney General), and because the statute does not specifically authorize a patient to file a direct complaint, the law provides that the patient does not have a “private cause of action” for which a patient can file a suit directly against the provider.  A patient may file a complaint with the Office of Civil Rights and it is up to the OCR to pursue the claim if at all.  Most times, a patient complaint will lead to the OCR sending a copy of the complaint to the provider and request the provider submit copies of its compliance manual documents and provide its account of the events.

Common Law Claims.

In 1999, the Ohio Supreme Court recognized an independent claim for the “unauthorized, unprivileged disclosure to a third party of non-public medical information.”  This case was decided prior to the publication of the privacy rule regulations and before the effective date of those regulations.  The courts have concluded that the Biddle doctrine remains effective and is not pre-empted by the HIPAA regulations.  In short, a patient could assert a claim under the Biddle theory, which might be similar to HIPAA, but cannot use a violation of the HIPAA rules as the basis for a finding of liability under Biddle.

That statement might seem confusing and in fact it is. In the recent case of Sheldon v. Kettering Health Network, the Court of Appeals was faced with a HIPAA-like claim against a hospital system. An administrator at the hospital had improperly accessed electronic health records of his former spouse and had shared that information with another employee whom he was dating at the time. Upon discovery of the disclosure, the former spouse sued her ex-husband and the hospital. The patient later dismissed the claim against her ex-husband and pursued the claim exclusively against the hospital. The Court of Appeals held that the hospital could not be held liable for the actions of their employee under the Biddle theory because the employee’s conduct was not in furtherance of the business of the hospital. If the hospital employee had obtained the information at the direction of the hospital and was directed to share it with others, the hospital could potentially be responsible, but in this case, the court concluded that because the employee was acting outside the scope of his job responsibility, that his employer could not be held responsible for that breach under the Ohio common law theory.

The Sheldon decision is important for health care providers. From time to time, hospitals and practices have employees who access information for their own purposes or out of curiosity and the Sheldon case provides an additional level of protection of those employers from civil liability.

HIPAA Compliance Action Steps.

Even though HIPAA does not provide a private cause of action directly against providers by patients, and the Sheldon case provides additional protection for employers, practices still should focus on some steps to protect themselves against future claims or even government enforcement activities.

  1. Dust-Off the Compliance Manual. Many practices may have created their manual in 2003 and have failed to update or review the manual in the past decade.  At a minimum, the manual should have been updated to include the HITECH changes in 2009. Make sure you continue to pass out the Notice of Privacy Practices.
  2. Update your Forms. The Notice of Privacy Practices, Authorization and Business Associate Agreements all needed to be updated under the HITECH amendments.  You should verify that you have a current form Business Associate Agreement in effect with all third parties as needed. A 2003 version BAA will not likely be compliant.  Remember it is the obligation of the provider to obtain signed authorizations and BAAs as opposed to the party requesting information providing those to you.
  3. Staff Training. HIPAA training should be a regular part of new employee orientation, and regular in-service training to make sure that your staff is complying with the Privacy and Security Rules, and with the passage of time, have not gotten lax in their diligence to protect patient information. Professionals need to set the example by following the rules.
  4. Investigations of Potential Breach. Under HITECH, any claimed breach requires the provider to conduct an investigation. The investigation may result in a finding of no breach, but if so, the practice should still maintain records of the review and conclusion on those issues. Sometimes, the result is a decision that some re-education of employees is appropriate, or other times more serious steps may need to be taken, including self-disclosure to the government.

While most practices are extremely conscientious in protecting confidentiality of patients’ records, in today’s time of a hectic pace of most practices, errors may occur if your staff does not continue to be vigilant in their compliance. Early efforts to do so will prevent the practice having significant problems down the road.

If you would like copies of the Biddle or Sheldon decisions or have any questions regarding HIPAA compliance, please contact Scott P. Sandrock at (330) 253-4367.


Get to Know BMD: Jeff Joseph Jr.

The "Get to Know BMD" series offers a closer look at the professionals behind BMD's success. In this spotlight, meet Attorney Jeff Joseph Jr., a dedicated intellectual property lawyer with a strong connection to innovation and engineering. Jeff shares insights into his practice, what inspires his work, and his unique background as an engineer-turned-lawyer. He also reveals his passion for soccer and musical talent as a multi-instrumentalist.

The Secret to a Strong(er) Capital Stack

BMD attended the annual New Markets Tax Credit (NMTC) Conference held by Novogradac & Company LLP in New Orleans. The event spotlighted the NMTC program, which encourages private investment in low-income communities through a 39% tax credit over seven years. The complex NMTC structure requires collaboration among qualified businesses (QALICBs), community development entities (CDEs), and investors. With the Fund’s recent double allocation announcement, now is an ideal time for eligible businesses to explore NMTCs to enhance their capital stacks.

The Shadows Are on the Run: Global Icon Aon Adds Its Heft and Stature to the Legitimization of the Cannabis Industry

Aon, a global firm with 50,000 employees across 120 countries, has made a strategic move into the U.S. cannabis industry, joining a growing list of institutional players such as First Citizens Bank. This entry aligns with the efforts of the Institutional Cannabis Lending Community (ICLC), which has been driving deal flow and fostering best practices among financial institutions since its founding less than 18 months ago. Aon will co-host an exclusive event for the ICLC at the Benzinga Capital Conference in Chicago, where it will unveil a custom product suite designed for cannabis businesses and tap into the collective expertise of the ICLC's nearly 30 Participants, which include banks, lenders, and compliance experts.

Tips for Creditors Who Are Owed Money from Someone Who Has Filed for Bankruptcy

You have received a notice in the mail stating that a business or person who owes you money has filed for bankruptcy. Now what do you do? It is important to act quickly to determine your rights in the bankruptcy process and to protect them. You should review the particulars of the debt owed to you with your attorney, as well as the debtor’s bankruptcy filings. Here are some of the preliminary issues to consider in order to protect your rights as a creditor.

Get to Know BMD: Michael Sneeringer

In this installment of our "Get to Know BMD" series, Cleveland Member Michael Sneeringer shares his journey into law, driven by influential mentors and an interest in estate planning. Discover his passion for client interactions, his surprising domestic skills, and his dedication to attending his daughter's volleyball games.