Health Plans Should Act Quickly To Manage Heightened HIPAA Privacy Obligations & Liabilities

December 26, 2009 at 5:44 am

Health plans and their business associates should review and update their practices and policies concerning the use access and disclosure of protected health information in response to changing requirements and expanding enforcement exposures under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

A series of Office of Civil Rights (OCR) enforcement action against health plans highlights the need for group health plans and insurers to exercise care to comply with HIPAA’s Privacy & Security Rules.  For example, OCR recently required a HMO to take a series of corrective actions based on findings from its investigation of a complaint that the HMO impermissibly disclosed a member’s protected health information by sending her entire medical record to a disability insurance company without her authorization.  Based on its investigation, OCR found the HMO violated HIPAA by relying on a form to make the disclosure that failed to meet the Privacy Rule requirements to qualify as a valid authorization under the Privacy Rule.  Based on these findings, OCR required the HMO among other things:

  • To create a new HIPAA-compliant authorization form that specifies what records and/or portions of the files will be disclosed, that the respective authorization will be kept in the patient’s record, together with the disclosed information and otherwise to meet the content requirements of the Privacy Rule for an authorization; and
  • To implement a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form.

Another action resulted after a national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant’s unauthorized family member. OCR’s investigation determined that a flaw in the health plan’s computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Privacy Rule.  To resolve this case, OCR required among other things that the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information.

In yet another case, OCR found an employee of a major health insurer impermissibly disclosed the PHI of one of its members without following the insurer’s authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures, to take action to mitigate the harm to the individual and to counsel and give a written warning to an employee who made the disclosure.

While OCR declined to impose any civil penalties in any of these three instances, violations of the Privacy Rules have resulted in both criminal prosecutions by the Department of Justice and the payment of large civil settlements to OCR.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information  HIPAA Risks Soar As CVS Agrees to Pay $2.25 Million To Resolve HIPAA Charges & Stimulus Bill Amends HIPAA.  Furthermore, recent amendments to the Privacy Rules increase the likelihood that health plans and other covered entities violating the Privacy Rules will incur civil penalties.  The American Recovery and Reinvestment Act of 2009 (ARRA) amended the Privacy Rules effective October, 2009 to increase the civil penalties for Privacy Rule violations and to include new breach notification requirements for covered entities.  Additional ARRA amendments to HIPAA scheduled to take effect February 17, 2010 will further tighten the conditions under which covered entities may use, access or disclose PHI under the Privacy Rules, will expand the circumstances under which health plans and other covered entities will be required to account for dealings with PHI under HIPAA, and will extend the duty to comply with and liability for violations of the Privacy Rules to business associates.  In the meanwhile, employees increasingly are alleging Privacy Rule violations as part of their whistleblower or other wrongful discharge claims.  See, e.g. Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.

In light of these changing rules and expanding liabilities, health plans and their business associates need to review and update their Privacy and Security practices, business associate agreements and privacy notices for compliance in light of the expanding enforcement activities of OCR and these evolving Privacy and Security Rules.  These and other developments make it imperative that health plans and other covered entities and their business associates immediately review and update their HIPAA and other data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws.

If your organization needs assistance reviewing, updating, administering or defending privacy and data security practices under HIPAA, state data breach or other laws, Curran Tomko Tarski LLP can help.  The author of this update, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer has extensive experience advising and assisting health plans, health insurers, and other covered entities and business associates to review, update, document, enforce and defend their HIPAA and other privacy and data security policies and practices.  The author of numerous publications on HIPAA and other privacy and data security rules, she also speaks and conducts training extensively on these concerns. 

We hope you found this information helpful.  If you or some that you know would like to register to receive future Health Privacy & Technology Updates, register or update your profile here and/or register to receive these updates in blog distribution form here.  If your organization needs assistance with understanding or managing its responsibilities or liabilities under HIPAA or other health care or employment laws or wishes to inquire about HIPAA training or other services and experience of Cynthia Marcotte Stamer, please contact Ms. Stamer via e-mail to Cstamer@CTTLegal.com or by telephoning Ms. Stamer at 214.270.2402.    To learn more about Cynthia Marcotte Stamer click here.  For important information concerning this communication click here.

 ©2009 Cynthia Marcotte Stamer.  All rights reserved. 

Advertisements

Entry filed under: Data Security, Electronic Health Records, Electronic Medical Records, Health, Health care, Health Information Technology, Health Plans, HIPAA, HiTech Act, Hospitals, Medical Privacy, Personal Health Records, Physicians, Privacy, protected health information, Retailitory Discharge, Whistleblower. Tags: , , , , , .

Office of the National Coordinator for Health Information Technology (ONC) Accepting Grant Applications Under 2 Health IT Education Grant Programs Stamer Speaks To CPAs About “Privacy & Information Security: Managing Your Accounting Practice’s Liabilities & Counseling Your Clients” January 12, 2010


December 2009
S M T W T F S
« Sep   Jul »
 12345
6789101112
13141516171819
20212223242526
2728293031  

Recent Posts

Share this blog

Bookmark and Share
December 2009
S M T W T F S
« Sep   Jul »
 12345
6789101112
13141516171819
20212223242526
2728293031  

%d bloggers like this: