Spencer Fane LLP Logo

HIPAA Hodgepodge

After more than ten years, HIPAA is still a hot topic. Here is a rundown of recent developments.

Enforcement Activity. Enforcement activity continues. In a recent Resolution Agreement, a hospital in Massachusetts agreed to settle potential HIPAA violations with OCR for $850,000. In addition, the hospital agreed to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.

The Resolution Agreement indicated that a laptop was stolen from an unlocked radiology treatment room at the hospital. The laptop hard drive contained treatment records of 599 individuals. During the subsequent investigation, OCR concluded that there was evidence of widespread non-compliance with the HIPAA rules, including:

  • Failure to conduct a thorough risk analysis of all of the hospital’s ePHI;
  • Failure to physically safeguard a workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
  • Impermissible disclosure of 599 individuals’ protected health information.

This Resolution Agreement highlights the importance of addressing remote and mobile devices as part of a comprehensive HIPAA compliance program. For a full list of recent Resolution Agreements, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html.

Expansion of Disclosure Rules. In January, the Department of Health and Human Services released a final rule that permits certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm. The rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their states to report this information to NICS. The rule does not apply to most treating providers or health plans.

Guidance on Request for Access. The HHS Office for Civil Rights (“OCR”) released a fact sheet and the first in a series of topical Frequently Asked Questions (FAQs) to further clarify individuals’ core right under HIPAA to access and obtain a copy of their health information. The FAQs address the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program.

New Website. OCR has recently undertaken a full redesign of its website. The new website, www.hhs.gov/ocr, is intended to be a more responsive, user-friendly platform. Features of the new site include:

  • Categorization of information and resources by “Individuals,” “Professionals” and “Providers” for easier, quicker access to the most useful content;
  • Improved search functionality displaying OCR-specific information and resources prominently at the top of search results listings;
  • Built on a mobile-first platform to optimize access on cell phones, tablets and other mobile devices; and
  • Simplified and refined site navigation and content layout.