In November 2019, the Department of Health and Human Services, Office for Civil Rights (“OCR”) imposed a $1.6M civil money penalty on the Texas Health and Human Services Commission (“TX HHSC”), Department of Aging and Disability Services (“DADS”) for HIPAA violations.
In June 2015, DADS reported a breach of electronic protected health information (“ePHI”) to OCR. DADS discovered that the ePHI of 6,617 individuals was viewable online, including names, addresses, Medicaid numbers, and social security numbers. A flawed software code allowed this data to be accessible without access credentials.
OCR determined that DADS failed to conduct an enterprise-wide security risk assessment and failed to implement audit controls and access controls, as required by the HIPAA Security Rule. As is nearly always the case in HIPAA enforcement actions, while the breach itself may have initiated the OCR investigation, flaws in DADS’ HIPAA compliance program also were cited in OCR’s determination to issue the civil money penalty. While a covered entity or a business associate may not always be able to prevent a HIPAA breach, it can ensure that it has a robust compliance program in place. Notably, one factor cited repeatedly in OCR enforcement actions over the past several years is the lack of an enterprise-wide security risk assessment. Organizations should prioritize compliance with this HIPAA requirement.
In determining the amount of the civil money penalty levied on DADS, OCR acknowledges that DADS’ HIPAA noncompliance did not result in any known harm to individuals, nor limit their ability to receive health care. However, OCR also noted that, while DADS committed to OCR to complete an enterprise-wide security risk analysis within one year, it failed to do so. HIPAA-regulated entities should be advised that, once a governmental audit or investigation commences, it is important to make every attempt to ensure that your compliance program comports with the HIPAA regulations and guidance from OCR and, particularly, to fulfill any commitments made to the regulators.
On November 27, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced Sentara Hospitals (Sentara) has agreed to pay $2.175 million to OCR and adopt a corrective action plan that includes two years of monitoring to settle possible violations of HIPAA. Sentara has 12 acute care hospitals and more than 300 sites of care in Virginia and North Carolina.
In April 2017, OCR received a complaint that an individual received a bill from Sentara that contained PHI for another patient. Once OCR initiated an investigation to review the complaint, OCR determined that Sentara improperly disclosed PHI of 577 patients to wrong addresses. This occurred when Sentara accidentally merged these patients billing statements into mailing labels of more than 16,342 other individuals. Information included patient names, account numbers, or dates of services. Sentara, however, incorrectly concluded from its risk assessment that the improper disclosure leading to a breach actually only affected eight individuals. Specifically, Sentara wrongly believed that notification to OCR and affected individuals only had to be made if patient diagnosis, treatment information, or other medical information had been improperly disclosed.
Even after OCR advised Sentara of its duty to properly report the breach for the remaining 569 individuals, OCR noted that “Sentara persisted in its refusal to properly report the breach…” OCR’s investigation also led to OCR finding that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performs business associate services for Sentara, until October 17, 2018.
The penalty and corrective action plan is an important reminder to covered entities to accurately and timely report breaches to OCR. Under HIPAA, covered entities must perform comprehensive risk assessments when determining whether a breach occurred and thoroughly evaluate the probability that PHI had been compromised. Once a reportable breach has been determined, covered entities are required to notify OCR of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days following the breach. If a breach affects fewer than 500 individuals, a covered entity may notify OCR of such breach on an annual basis.
To drive the reporting requirement point further, OCR Director Roger Severino stated, “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
OCR’s press release about this settlement can be found here.
On October 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it had imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for multiple HIPAA violations. JHS is a nonprofit academic medical system in Florida that provides health services to approximately 650,000 patients annually and employs about 12,000 individuals. What OCR evaluated to determine the civil money penalty of $2.15 million is discussed below and from OCR’s notice of proposed determination to JHS.
Improper disclosure of PHI of an NFL player and unauthorized access to PHI by employee leading to selling of PHI
In July 2015, OCR started an investigation after a media report disclosed the PHI of an NFL player that was a JHS patient. OCR determined during its investigation that a nurse who treated the NFL player in the operating room continued to access his PHI thereafter even though she no longer had a reason to do so. Another employee also accessed the NFL player’s PHI without authorization. While OCR recognized that JHS did sanction these employees, the employees’ ability to have broad access demonstrated the lack of control of appropriate access to ePHI for employees.
Furthermore, on January 4, 2016, JHS’s Office of Compliance and Ethics was notified by an anonymous caller that an employee was selling patients’ ePHI. It was determined by JHS that the employee had access to ePHI without proper authorization or authority to access for over five years and had inappropriately accessed over 24,000 patient records.
OCR noted that based on the above, JHS failed to (i) implement procedures to regularly review audit logs and access reports to ensure there is proper access to ePHI and (ii) implement policies and procedures for granting access to ePHI so that JHS’s workforce may only access the minimum necessary to fulfill their job duties.
Failure to timely report to OCR lost patient records
JHS had two incidents of lost patient records in December 2012 for 715 patients and January 2013 for 756 patients. While HIPAA requires a covered entity to report breaches of unsecured protected health information involving 500 or more individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, JHS did not submit a breach report to OCR until August 22, 2013 (meaning JHS was at least 160 days late to report the breach). Furthermore, the initial report to OCR only identified the January 2013 loss and JHS did not submit an addendum reflecting the December 2012 loss until June 7, 2016.
OCR also noted that JHS’s breach notification policy implemented in October 2013 does not include specific procedures for ensuring notification will be submitted to OCR as required by the Breach Notification Rule.
Failure to conduct adequate risk assessments and implement security measures to identified risks and vulnerabilities as required by the Security Rule
In response to several data requests from OCR, JHS provided OCR “risks analyses” for JHS that were conducted by third-party vendors every year from 2014–2017. OCR noted the following about the risks analyses:
Risks analyses conducted before 2017 erroneously stated that several provisions of the Security Rule were not applicable to JHS.
All failed to include all ePHI created, received, maintained, or transmitted by JHS and did not identify the totality of threats and vulnerabilities that existed in JHS’s systems.
The 2017 risk analysis only included the main campus of JHS in the analysis.
Two risk analyses had blank sections.
OCR noted that for the risk analyses provided, JHS did not remediate risks, threats, and vulnerabilities identified by the risk analyses to a reasonable and appropriate level as required by the Security Rule. Furthermore, “high risks” identified in 2014 and 2015 risk analyses still were identified as “high risks” in the 2016 risk analysis with no evidence from JHS to reduce these risks and vulnerabilities.
Covered entities can learn the following from OCR’s notice of proposed determination:
It is not enough to have the capability to create audit logs and access reports for systems that contain ePHI. Records of information system activity need to be reviewed on a regular basis.
Have policies and procedures in place that address the Breach Notification Rule and include specific procedures for effectively providing notification under this Rule.
Conduct yearly risk assessments that include all ePHI created, received, maintained, or transmitted by the covered entity.
Review yearly completed risk assessments and identify and address threats and vulnerabilities that need to be remediated.
OCR’s press release about the civil money penalty against JHS can be found here.
On October 7, 2019, New York Governor Andrew M. Cuomo signed into law a bill that prohibits New York ambulance service providers and advanced life support first response service providers from selling, disclosing, transferring, or otherwise using identifiable patient information for marketing purposes. “Marketing” is defined as advertising, promotion, or any other activity that is intended to influence business sales or market share, including evaluating the effectiveness of marketing personnel or practices.
Although the legislation limits marketing-related uses and disclosures, it continues to permit ambulance providers and other first responders to share identifiable patient data with the patient and those authorized to make health care decisions for the patient, with health care providers treating the patient, and with the patient’s insurer, as well as third parties that have a legal right to the information—such as those authorized by a court order, a government entity, or law enforcement personnel. With patient consent, identifiable information can be used for training, promotion, or for staff recognition and recruitment.
All types of entities—for-profit, nonprofit, and governmental—are subject to these data restrictions, although nonprofit and governmental entities may use a patient’s name and address to solicit donations.
The legislation takes effect 180 days from its October 7, 2019, enactment date.
In a recent webinar, the Nixon Peabody Higher Education team addressed the potential implications of HIPAA on colleges and universities, including in relation to their employer-sponsored health plans, student health clinics, and counseling programs.
Does HIPAA apply to student health centers? Laurie Cohen, Partner (Health Care, Albany)
In providing health care services to students, the college/university will be considered a health care provider under HIPAA (and thus a “covered entity”) if it submits claims electronically to a student’s health insurer or conducts any other covered transactions electronically.
Although the college/university may be considered a HIPAA-covered entity, the college/university will not, however, be required to comply with the HIPAA Privacy Rule to the extent that the health records maintained by the health center relate only to its students. HIPAA specifically excludes “education records” or “treatment records” from the definition of “protected health information (PHI).”
Instead, such student health records are governed by the Family Educational Rights and Privacy Act (FERPA). Although HIPAA does not apply to student health records, if the college or university meets the definition of a covered entity, HIPAA will apply to any PHI of non-students held by the college or university. To limit the application of HIPAA to specific components/departments, the college or university will want to determine whether to designate itself a “hybrid-covered” entity.
College/university-sponsored health plans are HIPAA-covered entities. Yelena Gray, Partner (Labor & Employment, Chicago)
College and university group health plan sponsors must amend their plan documents for compliance with HIPAA, certify to their plans that the sponsor will adhere to the HIPAA requirements, and establish a firewall between the sponsor’s personnel with access to PHI and the sponsor’s other workforce.
Colleges and universities must also identify plan vendors that are business associates and enter into business associate agreements with them to ensure maximum protection for plan participants and their covered dependents.
Is the college/university regulated as a HIPAA business associate? Valerie Breslin Montague, Partner (Health Care, Chicago)
Colleges and universities should continually review their operations to determine whether any of their services trigger HIPAA regulation as a business associate arrangement, such as a university providing administrative services to a physician faculty practice plan, where such an arrangement involves access to protected health information. If so, the organization should ensure that it enacts a HIPAA compliance plan and carefully reviews the provisions of all business associate agreements to ensure that the terms governing indemnification, notification, de-identification, and return of data, among others, are acceptable.
Assessing the applicability of HIPAA.
The consequences of noncompliance with HIPAA are significant. Nixon Peabody is able to assist colleges and universities to assess the applicability of HIPAA to its health center operations; its employer-sponsored health plan, as well as other components.
Please reach out to Laurie Cohen, Yelena Gray, or Valerie Montague for additional information.
On October 2, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced Elite Dental Associates - Dallas, P.C. (Elite) had agreed to pay $10,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy Rules.
Elite is a private dental practice in Dallas, Texas, that had a patient submit a review on Elite’s Yelp review page. Elite decided to respond to the patient’s review by disclosing the patient’s last name and details of her treatment plan and insurance. The patient subsequently submitted a complaint to OCR on June 5, 2016, regarding Elite’s response.
Once OCR initiated an investigation of the dental practice to review the patient’s complaint, OCR determined that Elite improperly disclosed PHI of multiple patients in response to Elite’s Yelp reviews without valid HIPAA authorizations; failed to implement policies and procedures with respect to PHI, including releasing PHI on social media/public platforms; and failed to have the minimum content required in its Notice of Privacy Practices as provided by the HIPAA Privacy Rule. Even though Elite had the above significant HIPAA violations, OCR noted that it took into account Elite’s size, financial circumstances, and cooperation with OCR’s investigation when accepting the $10,000 settlement amount.
OCR Director Roger Severino stated, “Social media is not the place for providers to discuss a patient’s care” and that “[d]octors and dentists must think carefully about patient privacy before responding to online review.”
To drive this point forward, part of Elite’s corrective action plan with OCR includes Elite being required to revise its Notice of Privacy Practices to include a description of the uses and disclosures of PHI for which Elite is required to obtain an individual’s authorization and OCR gives examples of posting on Elite’s website, social media pages, and/or other public platforms to include in this Notice. Notably, this requirement to provide specific social media examples that require HIPAA authorization goes beyond what is provided in the Notice of Privacy Practices requirements in the HIPAA Privacy Rule. 45 CFR §164.520(b) only requires specific notice of the requirement for authorization for psychotherapy notes and marketing and sale of PHI. For all other uses or disclosures not otherwise permitted by HIPAA, 45 CFR §164.520(b) only requires a general statement that other uses and disclosures not described in the Notice of Privacy Practices will be made only with an individual’s written authorization and a statement that the individual may revoke an authorization.
Elite’s lesson with OCR is an important lesson for all HIPAA covered entities about the necessity of understanding their responsibilities under HIPAA when posting or responding on any social media platform.
OCR’s press release about this settlement can be found here.
On September 9, 2019, the Department of Health and Human Services, Office for Civil Rights (OCR) issued its first enforcement action under its Right of Access Initiative. Bayfront Health St. Petersburg, a 480-bed hospital in Florida (“Bayfront”), was fined $85,000 and is subject to a corrective action plan following its failure to provide a mother with timely access to her unborn child’s medical records.
The enforcement action was spurred by the mother’s complaint to OCR, stating that she requested from Bayfront the medical records of her unborn child and had not received them. OCR’s investigation found that Bayfront failed to provide the mother with access to the requested PHI. In addition to the financial penalty, Bayfront is required to develop or revise access policies and procedures that comply with the HIPAA requirements and train workforce members and applicable business associates on these policies and procedures.
OCR’s Right of Access Initiative, announced earlier this year, is intended to “vigorously enforce” patients’ rights to receive copies of their medical records in a prompt manner without being overcharged for the records. The right of access is a fundamental patient right under the HIPAA Privacy Rule, and OCR has expressed concern that health care providers were failing to provide timely patient access and were overcharging patients for copies of their records. Health care providers, and any business associates tasked with assisting with the provision of access to records, must ensure that they are following the requirements of the HIPAA Privacy Rule with respect to the provision of access. A health care provider must provide patient access within 30 days of a request unless it has a reason to deny the request that is permissible under the Privacy Rule or unless it has a valid reason to extend its response time by no more than 30 days. The provider is limited to charge only a reasonable, cost-based fee for the records. Applicable state law may specify precise amounts or place additional limitations on what a provider may charge a patient.
This post is adapted from an Alert posted August 28, 2019 and was co-authored by Jacalyn Smith.
On August 26, 2019, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rule Making (NPRM) outlining revisions to the Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations. The proposed rule in part reflects SAMHSA‘s efforts to facilitate and enhance coordination of care for substance use disorders (SUD) while still maintaining Part 2 confidentiality protections.
SAMHSA has also issued another proposed rulemaking specifically to provide clarification that a court may authorize disclosure of confidential communications when the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, even if the extremely serious crime was not allegedly committed by the patient as previously provided by the 2017 Final Rule (82 FR 052).
The following analysis presents an overview of the key proposed changes to Part 2 and the implications for Part 2 programs as well as non-Part 2 providers.
Applicability and re-disclosure
Within the NPRM, SAMHSA seeks to clarify the confidentiality and restrictions on re-disclosure of SUD-related information collected by Part 2 programs and non-Part 2 providers. SAMHSA clarifies that a non-Part 2 provider’s inclusion of SUD information in such provider’s records does not subject that record to Part 2, even in cases where the SUD information may have originated from a discussion with a Part 2 provider or from the non-Part 2 provider’s review of the Part 2 record. The NPRM specifically states: “the intent of these proposed clarifications is to better facilitate coordination of care between non-Part 2 providers and Part 2 programs, and to resolve lingering confusion among non-Part 2 providers about when and how they can capture SUD patient care information in their own records, without fear of those records being subject to the confidentiality requirements of Part 2.” SAMHSA also seeks to clarify that the Part 2 restrictions on re-disclosure apply to the Part 2 record and not the SUD information that may be learned from such record and then incorporated by the non-Part 2 provider in her records generated during the course of treating the individual. The NPRM states: “the intent is to allow a non-Part 2 provider to receive SUD information about a patient from a Part 2 program, and then to engage in a treatment discussion with that patient, informed by that information, and then be able to create her own treatment records including SUD content, without the latter becoming covered by Part 2.”
SAMHSA also recommends that non-Part 2 providers “segregate” or “segment” patient records in order to differentiate information subject to Part 2’s confidentiality requirements and information gathered from a discussion with a Part 2 provider used or learned from the review of the Part 2 record, in conjunction with information learned or confirmed by the non-Part 2 provider in the course of treating a patient. The NPRM proposes to add a new subsection (d)(2)(ii) to § 2.12 to read: “Notwithstanding paragraph (2)(i)(C) of this section, a non-Part 2 treating provider may record information about a substance use disorder (SUD) and its treatment that identifies a patient. This is permitted and does not constitute a record that has been re-disclosed under Part 2, provided that any SUD records received from a Part 2 program or other lawful holder are segregated or segmented. The act of recording information about a SUD and its treatment does not by itself render a medical record which is created by a non-Part 2 treating provider subject to the restrictions of this Part 2.”
The 2017 final rule (82 FR 052) for Part 2 made several changes to the consent requirements for disclosure of protected information in Part 2 records including amending the written consent requirements regarding identification of the individuals and entities to whom disclosures of protected information may be made. This change allowed the use of a general designation in the “to whom” section of the consent requirement to individuals or entities with a treating provider relationship to the disclosing patient. With limited exceptions, disclosures of protected information to other entities or individuals without a treating provider relationship still required providing a specific individual name who would receive the protected information. SAMHSA noted that this amendment led to patients with SUDs having difficulty authorizing the disclosure of their protected information to third parties for non-treatment purposes, such as trying to obtain social security benefits or obtaining housing in a local sober living or a halfway house program (e.g., if the patient did not have a specific individual name at a halfway house).
SAMHSA now proposes to allow patients to authorize the disclosure of their protected information to organizations that do not have a treating provider relationship with the patient without the need to identity a specific individual that will receive the information. For example, if a patient wants a Part 2 program to disclose certain information to the Social Security Administration for benefit purposes, under the proposed rule, the patient would only need to identify the agency on the “to whom” section of the consent form.
Notably, however, SAMHSA proposes to maintain the treatment provider relationship requirement if a recipient entity is an entity that facilitates the exchange of health information or a research institution in order to ensure that only entities with the need to know the protected information from Part 2 records receive it.
Disclosures permitted with written consent
In the 2018 final rule (83 FR 239) for Part 2, SAMHSA determined that disclosures by lawful holders to contractors, subcontractors, and legal representatives for the purpose of payment and health care operations activities are permitted with written consent. While SAMHSA included a list of possible payment and health care operations activities, it previously decided not include such list in the Part 2 regulations. Thereafter, SAMHSA noted that stakeholders expressed confusion on whether information from Part 2 records could be disclosed for certain activities if not explicitly identified in the regulatory text. SAMHSA now proposes to list out the payment and health care operations activities (e.g., billing, underwriting, third-party liability coverage, etc.) in the Part 2 regulations that were previously provided in the 2018 final rule preamble while also noting that adding this list to the regulations is intended to be illustrative rather than exhaustive. SAMHSA also reiterated the same point as made in the 2018 final rule that disclosure for payment and health care operations is not intended to cover care coordination or case management (unlike as seen with HIPAA, which includes such activities under “health care operations”).
Disclosures to central registries and PDMPs
SAMHSA proposes to allow non-opioid treatment program (OTP) providers that have a treating relationship to a patient to access the central registries (organizations that obtain information from withdrawal management or maintenance treatment programs) to inquire about the patient. SAMHSA recognizes that with the opioid epidemic it is a necessity for providers that work with patients with SUDs to have access to the information provided in central registries to prevent not only duplicate patient enrollment for OUD treatment but also to help non-OTP providers make informed decisions about appropriate treatments.
In regards to prescription drug monitoring programs (PDMPs), previous SAMHSA guidance informed OTP providers that they could not disclose patient identifying information to a PDMP unless an exception applied. SAMHSA has now determined that, based on the opioid crisis, the lack of OTP data from PDMPs can result in significant adverse events, as patients may receive either duplicate or possibly contraindicated prescriptions outside of any prescriptions provided by an OTP provider. Therefore, SAMHSA proposes to allow OTP providers and other lawful holders to report OTP prescription data to their respective state PDMPs. Part 2 providers would still be required to obtain written consent from the patient whose identifying information would be disclosed prior to any submission to the respective PDMP.
SAMHSA also recommended changes to how research institutions access patient identifying information in SUD-related studies. Under Section 2.52, Part 2 providers may only disclose patient’s identifying information without patient consent if the research is conducted by a HIPAA covered entity or its business associate that (1) has obtained authorization from the patient, (2) holds a waiver or other authorization that is consistent with HIPAA Privacy Rule, or (3) is subject to the HHS regulations regarding the protection of human subjects under the Common Rule. As the number of patients receiving treatment for SUD and OUD continues to rise, SAMHSA found limiting access to specific research institutions ultimately restricts the advancement of treatment.
Under the new rule, SAMHSA proposes modifying Section 2.52 to allow Part 2 data to be disclosed to three types of research entities. First, patient identifying information may be disclosed to a HIPAA covered entity or a business associate that is neither a HIPAA covered entity nor subject to the Common Rule, as long as any such data will be disclosed in accordance with the HIPAA Privacy Rule. SAMHSA will also allow research disclosures to members of the workforce of HIPAA covered entities for employer-sponsored research that requires all research activities to meet the requirements of either the Privacy Rule and/or the Common Rule. Last, patient identifying information may be disclosed to entities governed by the Federal Drug Administration’s regulations for the protection of human subjects in clinical investigations.
Audit and evaluation
To address perceived confusion as to permissible disclosures for audits and evaluations, as well as to align the Part 2 regulations with those governing quality improvement organizations, SAMHSA proposes rule updates regarding disclosures for audits and evaluations. Acknowledging that the Part 2 regulations do not define audits and evaluations, SAMHSA clarifies that these concepts are not limited to reviews that analyze the performance of individual Part 2 programs. Audits or evaluations may be tools to determine if changes need to be made at an agency or payor level. In the NPRM, SAMHSA encourages Part 2 programs to disclose de-identified information, but acknowledges that this may not always be feasible or economical. The NPRM specifies that Part 2 programs may disclose records to government agencies and third-party payors for audit and evaluation purposes, including for identifying actions necessary to improve treatment and outcomes for Part 2 patients, and that records may be disclosed to government agencies and their contractors for audits or evaluations mandated by law. It also clarifies that an auditor may be a party that has administrative control over the Part 2 program with respect to audits and evaluations of the program.
Undercover agents and informants
To combat any illicit sale or transfer of drugs by medical personnel, the Part 2 regulations currently permit the placement of undercover agents and informants within Part 2 programs, limited to a period of six months. Following input from the U.S. Department of Justice, SAMHSA believes that this six-month cap is overly restrictive, as investigations can last for longer periods. The NPRM proposes allowing court-ordered placement of an undercover agent or informant within a Part 2 program for a period of up to 12 months starting from the date that the agent is placed in the program, or the date the informant is identified. Courts may further extend the period of placement through a new court order.
For the NPRM for all but the proposed change addressed below, stakeholders will have until October 25, 2019, to submit their comments. For the NPRM regarding clarification for when courts may authorize disclosure of confidential communications, stakeholders will have until September 25, 2019, to submit their comments.
On June 26, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released a new FAQ document to address how the HIPAA Privacy Rule allows health plans to share PHI in certain circumstances.
The first FAQ addresses care coordination and care management disclosures between two health plans. OCR emphasized that both these activities are included in the definition of health care operations as provided by the HIPAA Privacy Rule. Disclosures for health care operations purposes must be based on the two entities having a relationship with the individual who is the subject of the requested PHI and the PHI pertains to that relationship. Therefore, OCR noted the Privacy Rule permits one health plan to share PHI about an individual in common with a second health plan for care coordination purposes without the individual’s authorization. In terms of an individual switching health plans, OCR provided that the Privacy Rule would also allow an individual’s previous health plan to disclose PHI to the new health plan without the individual’s authorization as well.
The second FAQ addresses health plans using and disclosing PHI to inform individuals about other available health plans that it offers without the individual’s authorization. Generally, health plans are prohibited from using or disclosing PHI for marketing purposes without an individual’s authorization. There are, however, certain exceptions to the marketing authorization requirement and also there are specific activities that are not included in the definition of marketing. OCR provided that one exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans so long as the health plan is not receiving financial remuneration for the communications. To demonstrate this exclusion, OCR provided that when a “Plan A” discloses PHI about an individual to “Plan B,” which is a separate covered entity, Plan B is allowed to send communications to the individual regarding Plan B’s health plan options to replace the individual’s current plan (e.g., discussion of Medicare plans when reaching age of eligibility) so long as there is no remuneration received by Plan B for sending this communication to the individual and such disclosure complies with any applicable business associate agreement(s).
The OCR FAQ document can be found here.
On May 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Medical Informatics Engineering, Inc. (MIE) had agreed to pay $100,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.
MIE provides software and electronic medical record services to health care providers. On May 26, 2015, MIE found suspicious activity on one if its servers and upon further examination determined that unauthorized access to its network began on May 7, 2015, leading to hackers accessing electronic PHI (ePHI) of approximately 3.5 million people. Access was based on a compromised user ID and password.
On July 23, 2015, MIE filed a breach report to OCR and OCR’s investigation determined in part that MIE did not conduct a comprehensive risk analysis, as required by the HIPAA Security Rule, prior to the breach by the hackers. OCR Director Roger Severino stated “[e]ntities with medical records must be on guard against hackers” and “[t]he failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
MIE’s corrective action plan requires MIE in part to develop a complete inventory of all of its facilities, categories of electronic equipment, data system and applications that create, receive, transmit or maintain ePHI and subsequently conduct a risk analysis that evaluates the risks to ePHI on MIE’s inventory.
Interestingly, the day after OCR’s MIE settlement press release, OCR issued a press release providing that it has issued a new fact sheet to list out all HIPAA provisions through which a business associate can be held directly liable for HIPAA compliance.
OCR’s press release about this settlement can be found here and OCR’s press release about the new fact sheet for business associates can be found here.