DBR ON DATA

Security, Privacy and Information Governance

Category: Health Care



Page 2 of 5

Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations

Share

A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) in a no-fault settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

Filefax, an entity involuntarily dissolved by the Illinois Secretary of State in August 2017, previously provided services to HIPAA covered entities, including storage, maintenance, and delivery of medical records.  On February 10, 2015, OCR received an anonymous complaint alleging that an individual had transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015.  OCR investigated the matter and confirmed that an individual had left medical records that contained the protected health information (PHI) of approximately 2,150 patients at the shredding and recycling facility.  OCR’s investigation indicated that Filefax had either left the PHI in an unlocked truck in its parking lot or granted permission to an unauthorized person to remove the PHI from Filefax, and left the PHI unsecured outside of the Filefax facility.

Continue reading

OCR Kick Starts 2018 with Severe $3.5 Million HIPAA Settlement and Corrective Action Plan

Share

Fresenius Medical Center North America (FMCNA) agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a two-year comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

The no-fault resolution agreement states that FMCNA reported five separate incidents that occurred between February 23, 2012 and July 18, 2012 at five distinct FMCNA facilities (FMCNA Covered Entities).  FMCNA provides centralized corporate support to the FMCNA Covered Entities, including storing patient’s medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances surrounding each breach reported to it by the FMCNA Covered Entities.

Continue reading

Singapore Addresses Confidentiality of Electronic Patient Records in New Healthcare Services Bill

Share

Singapore’s Ministry of Health (MOH) recently drafted a new Healthcare Services (HCS) Bill aimed to bridge the gap between the country’s changing healthcare needs and technological advances.  According to the MOH, the healthcare landscape in Singapore is undergoing significant changes, including an ageing population, increased chronic disease prevalence, and advancements in medicine and health technologies.  The HCS Bill will “better safeguard the safety and well-being of patients, while enabling new and innovative services that benefit patients to be developed, in the changing healthcare environment.”

Currently, healthcare providers in Singapore are licensed and regulated under the Private Hospitals and Medical Clinics Act (PHMCA), which was designed to protect patient safety through the licensing of physical healthcare premises.  But, brick and mortar locations are quickly becoming a thing of the past as more and more healthcare services are delivered through mobile and online channels.  MOH intends to respond to this shift by repealing the PHMCA and replacing it with this new HCS Bill.

Continue reading

Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches

Share

The Connecticut Supreme Court has joined several other states by holding that health care providers owe patients a common law duty to maintain the confidentiality of their medical records. In a unanimous reversal of the lower court’s ruling, the court determined that the unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship gives rise to a cause of action in tort against the health care provider, unless the disclosure is otherwise allowed by law.

Emily Byrne sued the Avery Center for Obstetrics and Gynecology, P.C. (“Avery”) for negligence and negligent infliction of emotional distress in connection with Avery’s release of her medical records in response to a subpoena issued by her ex-boyfriend, Andro Mendoza, in the course of a paternity action.  The subpoena instructed Avery to send the custodian of its records to appear, together with Byrne’s medical records, at the New Haven Regional Children’s Probate Court.  Avery did not alert Bryne about the subpoena, file a motion to quash it, or appear in court – it mailed Byrne’s medical records.  Bryne alleges that she suffered harassment and extortion threats from Mendoza because Avery gave him access to her medical records without her knowledge or consent.

Continue reading

CMS Confirms Policy on Texting Patient Information among Healthcare Providers

Share

The Centers for Medicare & Medicaid Services (CMS) recently issued a State Survey & Certification Memorandum effective immediately in order to clarify its position on texting patient information among health care providers.

Although CMS acknowledges that the use of texting to communicate with other members of a patient’s health care team has become a common and invaluable practice, it acknowledges that such practice risks noncompliance with the Medicare Conditions of Participation (CoPs) or Conditions for Coverage (CfCs).  In order to text and comply with the CoPs or CfCs, CMS requires providers to use, maintain, and routinely assess secure, encrypted systems or platforms and minimize the risks to patient privacy and confidentiality per the Health Insurance Portability and Accountability Act and other requirements under the CoPs or CfCs.

Continue reading

Oncology Services Provider Reaches $2.3 Million Settlement with HHS for Data Breach

Share

21st Century Oncology, Inc. (21CO), a Florida-based oncology services provider, has agreed to pay $2.3 million in a no-fault resolution to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential civil money penalties stemming from a 2015 cyberattack on its network SQL database.  The Federal Bureau of Investigation (FBI) was first to detect that an unauthorized third party illegally obtained patient information from 21CO in October 2015.  Upon further investigation by 21CO and OCR, it was determined that 21CO:

  • Impermissibly disclosed the protected health information (PHI), including names, social security numbers, and diagnoses, and treatments, of 2,213,597 of its patients.   
  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI).   
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.   
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.   
  • Disclosed protected health information to  third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.

Continue reading

« Older posts Newer posts »

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy