Lobbying Affiliate: MML&K Government Solutions
{ Banner Image }

Healthcare Law Blog

Comprehensive Healthcare law services.
It's kind of our bag.

Contact Us

250 Character(s) Remaining
Type the following characters: tango, papa, hotel, whisky, mike

* Indicates a required field.

Categories

McBrayer Blogs

Related Blogs

Showing 25 posts in Electronic Protected Health Information (ePHI).

A New Reason to Protect Protected Health Information

Recently, an Indiana jury awarded a plaintiff $1.8 million in damages after a Walgreens pharmacist inappropriately used her position to find and share the plaintiff’s protected health information (“PHI”). [1] As health care providers know, the Health Insurance Portability and Accountability Act (“HIPAA”) provides both civil and criminal penalties for improper disclosure of medical information but it does not create a state-based private cause of action for violation of its provisions. Thus, when someone’s PHI is inappropriately shared or disclosed by a health care provider, the individual does not have personal legal recourse against the offending party. The recent Indiana case (herein “Walgreens Co.”) illustrates, however, that HIPAA still has a significant role in state court suits alleging negligence and professional liability as it relates to confidentiality.

More >

A New HIPAA Security Risk Assessment Tool For Your Compliance Arsenal

On Friday, the U.S. Department of Health and Human Services (HHS) announced a new security risk assessment (“SRA”) tool for small and medium size healthcare providers. The downloadable tool (available for free here) is a self-contained, independent application that is available for Windows and iOS platforms. The SRA works by asking a series of in-depth questions about the provider’s activities and facilities. The “yes” or “no” answer format for each question reveals whether corrective action is needed in a particular area. Additional resources in the SRA help providers understand the risks associated with the use, disclosure and storage of protected health information. The SRA offers providers the opportunity to generate, update and document assessment materials and corrective action plans through the SRA; documentation is especially important for audit purposes. More >

Secure Text Messaging in a HIPAA World? Part II

Earlier this week, I referred to mobile applications such as TigerText and Doc Halo which are being touted as a method of “HIPAA-compliant” texting. These apps allegedly secure protected health information (PHI) sent via text message to ensure providers’ compliance with HIPAA privacy law. Covered entities must realize, however, that the use of these apps alone is not sufficient to pass a HIPAA audit. While HHS has not banned the texting of patient information, it has made clear that an organization should approve it only after “performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.” More >

Small Devices & Big Consequences: Why Medical Practices Need Encryption

On Tuesday, I shared information about the U.S. Health and Human Services (“HHS”) Office of Civil Rights’ (“OCR”) first settlement with a medical practice for alleged violations of the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The $150,000 settlement was made with Adult & Pediatric Dermatology, P.C., (“the Practice”) after the entity reported a stolen jump drive that contained PHI of approximately 2,200 patients. More >

Coming to a Medical Practice near You: HIPAA and Hi-Tech Audits

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced  its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan. More >

The Sun is Not Setting on the EHR Safe Harbor

The Centers for Medicare & Medicaid Services (“CMS”) and the U.S. Department of Health & Human Services Office of the Inspector General (“OIG”) recently announced that the regulation allowing certain health care entities to donate electronic health records (with the entity subsiding up to 85% of the donor’s costs) to physicians has been extended to December 31, 2021. The regulation, which provided a safe harbor from the Stark Law and Anti-kickback statute, was set to expire on December 31, 2013. More >

Guidance on Mobile Medical Apps

Recently, the U.S. Food and Drug Administration (“FDA”) issued its much-anticipated final guidance for developers of mobile medical applications (“apps”). Apps run on mobile communication devices and can present unique problems not only to consumers, but also to providers who must walk a fine line between meaningful use requirements and HIPAA regulations regarding personal health information (“PHI”). More >

PHI May Be In More Places Than You Think

A recent HIPAA settlement serves as an important reminder that protected health information (PHI) may be stored on “ordinary” office equipment such as printers, photocopiers, scanners and fax machines, and not just on computer hard drives.  On August 14, 2013, the Department of Health and Human Services (HHS) announced a settlement with the not-for-profit managed care plan Affinity Health Plan, Inc. (“Affinity”) for over $1.2 million in connection with HIPAA Privacy and Security breaches stemming from PHI stored on a photocopier hard drive. More >

Plan for the Worst, Hope for the Best: Why You Must Have a HIPAA Risk Assessment

“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.” More >

Doe v. Guthrie Clinic, Ltd.: A New Privacy Battleground?, cont.

Earlier this week, I mentioned the Doe v. Guthrie Clinic, Ltd.[1] case and what it may mean for provider liability. In a nutshell, the plaintiff in Guthrie seeks to extend the fiduciary duty of patient confidentiality beyond the licensed provider to the medical corporation, including hospitals and medical practices.  Under the proposed theory, the hospital or medical practice could be held directly liable for the unauthorized disclosure of patient information regardless of whether an employee disclosed the information within the scope of employment.  In other words, the unauthorized disclosure of patient information would be attributed to the medical corporation, which acting through its representatives, breached patient confidentiality. More >

Lexington, KYLouisville, KYFrankfort, KYFrankfort, KY: MML&K Government Solutions