Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Brand Damages More than Legal Damages in HIPAA Violation

Posted on July 9, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently discussing with someone the possible legal damages of a HIPAA violation by a healthcare organizations business associate. We all know that thanks to HIPAA omnibus, the business associate will now be held liable for any HIPAA breaches or violations that occur. One question I haven’t seen addressed was whether the covered healthcare organization entity would be held responsible for the business associates breaches or violations. Before, the healthcare organization would be the only one with consequences. Are the consequences for the healthcare organization still the same if a business associate has a HIPAA breach?

I think the answer probably depends on the business associate agreement. Although, maybe you can’t shield yourself of liability from business associates negligence just with a well done business associate agreement. Hopefully some of me healthcare lawyer readers can shed light on this subject.

One thing I am sure of is that the legal damages pale in comparison to the damages to a brand when a HIPAA violation occurs even when the violation is completely the responsibility of the business associate. Healthcare organizations are still going to be held responsible for the violation. No doubt we’ll hear the phrase, “the healthcare organization should have properly vetted and checked that their business associates were following HIPAA.”

While we can all agree that many healthcare organizations aren’t as diligent as they should be with business associates, should the healthcare organization have to babysit all of their business associates?

Like most things in life, there has to be a balance. You can’t play big brother with all of your business associates. You’ll drive your business associates crazy and waste a lot of resources in the process. However, I think we can look to HIPAA for the guidelines. Every healthcare organization should have a well thought out understanding and process for how they decide who they work with as business associates.

The reality is that regardless of who takes on the legal consequences of a HIPAA violation, the healthcare organization is the one that has to worry most about the damage to their brand.

HIPAA Omnibus – What Should You Know?

Posted on March 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Posted on February 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

  • Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
  • The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
  • The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
  • The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
  • Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
  • The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
  • The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance?  The following tips should ensure your smooth transition into the new rule:

  • Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
  • Identify a privacy officer within all of your partner organizations.
  • Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
  • Update breach notification materials to reflect the new Rule.
  • Update, repost and redistribute your Notice of Privacy Practices.
  • Document current privacy and security practices, and conduct a risk assessment.
  • Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
  • Encrypt all devices that store patient information.
  • Communicate new HIPAA requirements and expectations to BAs.
  • Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
  • Provide a template of a comparable agreement for BAs to use with their subcontractors.
  • Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

HITECH Privacy Compliance Gets Trickier – Meaningful Use Monday

Posted on July 9, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s been a very interesting few weeks for privacy protection under  HIPAA. Just in case you haven’t had a chance to catch up on them,  here’s what’s going on.  The OCR has announced the protocols under which it’s going to perform audits required by HITECH.

Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule,  Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare  Reform blog from lawfirm Faegre Baker Daniels:

Privacy Rule Security Rule
Notices of privacy practices Administrative Safeguards
Right to request privacy protection for PHI Physical Safeguards
Access to PHI Technical Safeguards
Administrative requirements
Uses and disclosures of PHI
Amendment of PHI
Accountings of disclosures

Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough.  Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.

While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward.  A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.

As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.

I doubt any of us are surprised to see OCR getting tougher on data sharing;  in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us.  Scary times.

Be Sure That Business Associates Are HIPAA-Prepared, Or Else

Posted on June 6, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Sure, most readers will know that it’s important to have business associates who know how to handle potential HIPAA concerns.  I’d wager, however, given the outbreak of partner-related data losses of late, many facilities and medical practices aren’t subjecting their business partners to severe enough scrutiny.

There’s many, many ways a business associate can drop the ball, especially if you’re not keeping them informed.  For example, consider the case of South Shore Hospital of South Weymouth, MA, which lost boxes of unencrypted backup tapes en route to associate Archive Data Solutions.  The tapes stolen included HIPAA-protected ePHI (SSNs, names, financial account numbers and diagnoses).

While the business associate may have done wrongly, it was the hospital which was fined a total of $475,000 over the incident, which affected over 800,000 individuals. The state’s Attorney General slapped the hospital with these fines because it hadn’t done due diligence to make sure the associate had appropriate safeguards in place.

So, how do you protect yourself in your relationship with data management associates?  The following list of criteria, supplied by Thu Pham, seem likely to do the trick:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

I might also ask them how they train their workers, as all of this preparation might be worth a lot less if policies are loose.  Now, over to you. Do you think this list is sufficient to protect your institution?  Are there items you’d add or clarify?

Guest Post: HIPAA Responsibility – Whether You Want It or Not

Posted on March 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

John Lynn’s post “Covered Entity is Only One with Egg on Their Face” is good warning to healthcare providers: as HIPAA enforcement gains teeth, you are responsible for breaches caused by your business associates. The increase in HIPAA enforcement, penalties and current ONC audits make it clear that ignorance of adherence to HIPAA by your business associates (BA) is not a valid strategy.

In fact, the Poneman Institute Study cites 46 percent of breaches as caused by BAs, yet the covered entity (CE) is responsible for 100 percent of them from a legal prospective.

The time for inaction regarding your BAs is over. Now is the time to confront the issue head-on. The good news is that it costs less in the long run to prevent breaches than it does to pay for breaches committed by your BAs. Here’s how to get started.

It’s Time to Act

The same policies and procedures that you have implemented for yourself are applicable to your BAs. Of course, since the BAs do not report through your organization, the best way to assume compliance is through your contracting process.

It is not enough to just put it in the contract. In the old “trust but verify” school of management, your contract must also contain avenues of verification. That can include surveys, reports, audits, policy and procedure manuals, etc. This due diligence at contracting time pays off in many ways when ONC auditors knock on your door.

The due diligence must be a continual process, not just “once and done”. The laws are changing and Health and Human Services (HHS)’s Office of Civil Rights (OCR) is implementing new risk audits in 2012 to test your readiness. New breach notification and accounting of disclosure rules are imminent and will further tighten the laws. Also, many institutions focus on the Privacy Rules, while paying less attention to the Security Rules. The privacy rules focus on the “what,” while the security rules focus on the “how” of compliance.

To protect yourself, you should be doing self assessments using both internal and external auditors. Anything you do for yourself should be considered for your business associates.

Simple Encryption Goes a Long Way

Most accidental large-scale breaches are caused by lost or stolen electronic devices. The small one or two patient breaches are much less of a publicity problem but still require a risk assessment. The small breaches are going to happen; it is inevitable. The large breaches carry a higher degree of severity.

To prevent large breaches, it is essential that BAs which use electronics have the same tight policies and procedures in place that you do (or should). They can go beyond the HIPAA-mandated policies. One practice that should be implemented is encryption.

Remember, a lost electronic device that contains encrypted data is not considered a reportable breach. Encryption is a logical first step that, while not yet HIPAA mandated, will save considerable pain and expense over time. Notice it is only a first step. There are other security technologies available that will call a central location to pinpoint a device’s location. Further, they can wipe themselves clean if not accessed properly or in a given timeframe.

Paper Breaches Also a Concern

And providers shouldn’t lose sight of paper medical records and how BAs are using them. In fact, many breaches to date have involved paper. Understand how your BAs use paper records and patient information. Is it going off site? If so, there should be established policies and procedures.

Any access to paper records and appropriate destruction of those records must be HIPAA compliant. Locked bins for disposal and state-of-the-art shredders are a must at the provider’s site and the BA’s office. Do not let paper records lay around on desks and make sure all personnel are trained in the handling of paper records.

Training and Education for All

Training and educating are the foundation of any compliance program. BAs should have an in-depth training and education program that is as robust as that of the covered entity. Best practices make training an ongoing, living process with regular updates and mandatory attendance at classes.

Making the effort to fend off unauthorized disclosures will go a long way toward mitigating risk. Staying in front of the threat curve is difficult but not impossible. Remember to apply lessons learned to your BAs so you aren’t the only one with egg on your face!

Covered Entity Is the Only One with “Egg on their Face”

Posted on February 28, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

When I first started writing this blog about six years ago, I named it EMR and HIPAA. I was working to implement an EMR at that time (this was well before EHR became in vogue) and I knew that HIPAA was a major talking point in healthcare.

Over time I’ve learned that doctors care enough about HIPAA to make sure that they don’t hear about it again. Up until now, that’s worked pretty well for most doctors. There haven’t been many HIPAA lawsuits and the government has mostly only investigated reported incidents.

We started to see a shift in this with the passing of the HITECH act which many described as giving “teeth” to HIPAA. I think we’re just now starting to see some of those teeth coming to bear with things like the OCR audits that 150 HIPAA covered entities will experience this year. That’s still a pretty small number, but the experience of those 150 is teaching us and the government a lot about areas where healthcare institutions have done a good job with privacy and security and where they likely are weak.

While at HIMSS I had the pleasure to have a brief conversation with CynergisTek CEO and chair of the HIMSS Privacy and Security Policy Task Force, Mac McMillan. I love talking with people like Mac since he is an absolute domain expert in the areas of privacy and security in healthcare. You just start him talking and from memory he’s pouring out his knowledge about these important and often overlooked topics. I loved what he had to say so much that I asked him if he’d do a series of blog posts on the OCR audits which I could publish on EMR and HIPAA. He said he was interested and so I hope we’re able to make it happen.

One simple thing that Mac McMillan taught me in our admittedly brief conversation was the changing role of the business associate in healthcare. In the past, most covered entities kind of hid behind their business associates. Many did little to verify or keep track of the policies and procedures employed by their business associates. With the new HITECH rules for disclosure of breaches and the OCR audits, covered entities are going to have to keep a much better eye on their business associates.

Mac then pointed out to me that the reason covered entities have to take on more responsibility is that they’re the ones that are going to be held responsible and take the blunt of the problem if their business associate has a privacy or security issue. I see it as the Covered Entity will be the one with Egg on their Face.

I don’t think we have to take this to an extreme. However, there’s little doubt that covered entities could do a much better job evaluating the privacy and security of their business associates and hold them to a much higher standard. If they aren’t, I wouldn’t want to be there for the OCR audit with them.