By Kim Stanger

HIPAA applies to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity that “creates, receives, maintains or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity, e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; malpractice insurers; etc.).¹ “A covered entity may be a business associate of another covered entity” when it performs such functions on behalf of another covered entity.²  Also, with very limited exceptions, a subcontractor or other entity that creates, receives, maintains or transmits PHI on behalf of a business associate is also a business associate.³ To determine if an entity is a business associate, see our Business Associate Decision Tree. Continue reading →

By Kim Stanger

The HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers and their business associates from disclosing protected health information in response to subpoenas and other government demands unless certain conditions are satisfied. This outline summarizes HIPAA rules for responding to such demands. To the extent there is a more restrictive state or federal law that applies in a particular case, the more restrictive law will usually control. Continue reading →

By Kim Stanger

The HIPAA privacy and security rules impose significant requirements on covered entities and their business associates; violations may result in penalties ranging from $119 to $59,522 per violation. (45 CFR § 160.404; 45 CFR § 102.3; 85 FR 2879). “Business associates” are generally those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of a covered entity (45 § CFR 160.103, definition of business associate); thus, most entities that handle data for healthcare providers or their business associates will become business associates and subject to HIPAA requirements, including data storage, data transmission, and cloud services providers unless an exception applies. Continue reading →

By Kim Stanger

With limited exceptions,¹ HIPAA generally gives individuals the right to access or obtain copies of their protected health information (“PHI”) from covered entities. (45 CFR § 164.524(a)). But the right of access does not apply to all PHI that a covered entity might have; instead, individuals only have a right to access information in their “designated record set”. This article summarizes relevant standards for determining which records patients have a right to access. Continue reading →

On December 10, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry. The Holland & Hart Healthcare Group shares this important update from HHS for your information:

Read the HHS Update.

We will continue to monitor this news and will provide more in-depth insights on the impacts of the proposed modifications.

By Kim Stanger

The OCR has announced a surprising number of HIPAA settlements in the past few months with penalties ranging from $10,000 to $6.5 million. Here are some of the key takeaways for healthcare providers:

1. Protect against cyberattacks. Healthcare entities remain a prime target for healthcare entities with disastrous effects for victims, including providers and patients whose information is compromised or destroyed. The HIPAA security rule is intended to ensure that healthcare entities maintain the integrity, availability and confidentiality of electronic protected heath information; successful cyberattacks often expose security rule violations. Premera Blue Cross agreed to pay $6.85 million after a phishing scam deployed malware that affected the information of 10.4 million persons. Another entity agreed to pay $2.3 million after a hacker accessed records of 6.1 million persons. Per the OCR, “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by HIPAA Rules …. is inexcusable.” https://www.hhs.gov/about/news/2020/09/23/hipaa-business-associate-pays-2.3-million-settle-breach.html. Cybersecurity is a major focus for HHS. In December 2018, the federal government published a guide to help healthcare providers of all sizes protect against cyberthreats, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx. In July 2020, HHS launched its Health Sector Cybersecurity Coordination Center (“HC3”) website, https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html, to offer additional support for healthcare providers. Cybersecurity is vital not only for regulatory compliance; it is essential to protect patients and ensure continued operation of the provider. Continue reading →

By Kristy M. Kimball and Lisa Carlson

What’s the Issue?

Covered entities, such as hospitals and other healthcare providers, may be asked by unrelated third-parties for information relating to a patient’s diagnosis or presumed diagnosis of COVID-19.

The information below outlines how the Health Insurance Portability & Accountability Act (“HIPAA”) applies to health information obtained or maintained by those subject to HIPAA (e.g., covered entities or business associates of covered entities), but does not cover state-specific privacy laws or employment-specific confidentiality laws. For example, the ADA, FMLA, and workers compensation laws all have confidentiality aspects that will impact employers. Continue reading →