cms

By Lyn Savoie

On March 27, 2017, the Centers for Medicare and Medicaid Services (CMS) posted revisions to the Voluntary Self-Referral Disclosure Protocol (SRDP), which provides a process for the disclosure of potential or actual violations of the federal physician self-referral law (commonly known as the Stark Law).  In an attempt to streamline the self-disclosure process, CMS issued new required forms and a financial worksheet for use by an entity when making a disclosure.  Under the revised SRPD, the disclosing party must submit the following items:

(a) the SRPD Disclosure Form, which includes information about the disclosing party, the history of the noncompliance conduct, and steps taken to prevent future noncompliance;

(b) the Physician Information Form, which collects information regarding the noncompliant financial relationship between the physician and the disclosing party (Note that a separate form is submitted for each physician in a noncompliant relationship.  Therefore, if a physician practice fails to meet the Stark Law definition of group practice, a separate form would be required for each physician whose compensation arrangement with the group was noncompliant.);

(c) a Financial Analysis Worksheet (submitted in Excel-compatible format), which quantifies the overpayment associated with each physician referral and describes the methodology used to calculate the overpayment amount; and

(d) a certification of the truthfulness of the information contained in the disclosure.

The disclosing party may also submit an optional cover letter that includes information it believes may be relevant to CMS’ evaluation of the disclosure.

Although the new forms are only required to be used starting on June 1, 2017, the CMS website encourages providers to begin using the revised forms at this time.  The new forms are available here.

OCR

By Lyn S. Savoie

On January 9, 2017, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its first HIPAA settlement arising from a failure to provide timely breach notification. Presence Health Network (Presence), one of the largest health care systems in Illinois, agreed to pay $475,000 as a result of Presence’s 2013 failure to provide timely notification in accordance with the HIPAA Breach Notification Rule. A copy of the Resolution Agreement between Presence and OCR is available here.

In 2013, Presence reported to OCR the loss of paper-based operating room schedules containing protected health information of 836 individuals. Under the Breach Notification Rule, HIPAA covered entities are required to provide written notification to individuals affected by a breach without unreasonable delay and in no case later than 60 calendar days following discovery of the breach. Additionally, for breaches affecting more than 500 individuals, contemporaneous notice must also be provided to OCR and notice must be provided to prominent media outlets serving the State or jurisdiction where more than 500 affected individuals reside. According to the Resolution Agreement between Presence and OCR, Presence failed to comply with all of the required notification deadlines. OCR’s investigation revealed that Presence notified the affected individuals 104 days following discovery, OCR 101 days after discovery, and the media 106 days after discovery. Moreover, during its investigation, OCR identified several other occasions where Presence was late notifying individuals of breaches affecting less than 500 individuals.

The settlement is an important reminder to covered entities of the need to timely and effectively investigate and report data breaches. As noted in the Resolution Agreement, each day that a notification is late is a separate violation of the Breach Notification Rule. Covered entities need to have effective policies and procedures in place to appropriately respond to and report data breaches. Additionally, covered entities must adequately train their workforce members on how to identify and internally report potential data breaches.

As a reminder, the deadline for reporting 2016 breaches involving less than 500 individuals is March 1, 2017.

 

naloxonebottle

By Jennifer J. Thomas

Recognizing the global problem of abuse and addiction to opioids, the Louisiana Legislature and the Louisiana Board of Pharmacy have enacted legislation and regulations to provide for the prescribing, dispensing and administration of Naloxone, an opioid antagonist.

In 2014, the Louisiana Legislature passed legislation authorizing “first responders” (peace officers, firefighters, EMS practitioners) to receive a prescription for Naloxone and maintain the Naloxone in the first responder’s possession for administration to any individual who is undergoing or who is believed to be undergoing an opioid-related drug overdose. The first responder is required to complete training necessary to safely and properly administer Naloxone including: techniques on how to recognize symptoms of an opioid-related overdose; standards and procedures for the storage and administration of Naloxone; and emergency follow-up procedures. First responders are immune from civil liability, criminal prosecution or disciplinary action under any professional licensing statute as a result of the administration of the Naloxone unless personal injury results from the gross negligence or willful or wanton misconduct of the first responder administering the drug.

During the 2016 legislative session, the Louisiana Legislature expanded the use of Naloxone and other opioid antagonists by authorizing a licensed medical practitioner, either directly or by standing order, to prescribe or dispense Naloxone without having examined the individual to whom it may be administered if: (1) the practitioner provides the individual receiving and administering the Naloxone or other opioid antagonist all the training required by the Louisiana Department of Health (“LDH”) for safe and proper administration of Naloxone; and (2) the Naloxone or other opioid antagonist is prescribed or dispensed in such a manner that it shall be administered through a device approved for this purpose by the United States Food and Drug Administration. Like first responders, licensed medical practitioners are granted immunity from civil liability, criminal prosecution, or disciplinary or other adverse action under any professional licensing statute. The 2016 legislation also authorized licensed pharmacists to dispense Naloxone or other opioid antagonists that is prescribed, directly or by standing order, as provided for in the rules promulgated by the Louisiana Board of Pharmacy. A licensed pharmacist who, in good faith, dispenses Naloxone or other opioid antagonists shall not be subject to civil liability, criminal prosecution or disciplinary or other adverse under any professional licensing statute.

The Louisiana Board of Pharmacy (“LBP”) has published in the Louisiana Register Declarations of Emergency providing for standing orders for the distribution of Naloxone. The first Emergency Rule was effective August 10, 2016, but because the LBP needed additional time, it directed the reissuance of the original Emergency Rule effective December 7, 2016. The Emergency Rule provides for the issuance by a Louisiana-licensed medical practitioner of a nonpatient-specific standing order for the facilitated distribution of Naloxone or other opioid antagonists. The standing order shall expire one year after the date of issuance. A Louisiana-licensed pharmacist may distribute Naloxone or other opioid antagonist according to the terms of the standing order until the one-year expiration of the standing order. Before Naloxone or other opioid antagonist drug product can be released to the recipient, the pharmacist shall verify the recipient’s knowledge and understanding of the proper use of the drug product including: (1) techniques on how to recognize signs of opioid-related drug overdose; (2) standards and procedures for the storage and administration of the drug product; and (3) emergency follow-up procedure including the requirement to summon emergency services either immediately before or immediately after administrating the drug product to the individual experiencing the overdose. The pharmacist is required to attach a copy of the standing order to the invoice or other record of sale or distribution of Naloxone or other opioid antagonist and shall store the transaction documents with the other distribution records in the pharmacy.

LDH has promulgated the Final Rule setting forth the best practice training requirements by licensed medical practitioners. Training includes: signs of overdose; signs of overmedication; instructions for storage and administration; and referral to the Substance Abuse and Mental Health Services Administration’s (“SAMHSA”) opioid overdose toolkit. Licensed medical practitioners shall instruct persons administering the opioid antagonist to immediately call 9-1-1 for medical assistance. Once the person is stable by emergency medical services, the treating practitioner is required to refer the patient to substance use treatment services. In the Final Rule, LDH strongly encourages prescribers to co-prescribe Naloxone or another opioid antagonists once in a given year to persons receiving opioid therapy for greater than 14 days.

The promulgation of the legislation and regulations increasing access to potentially life-saving medication will hopefully reduce the number of deaths resulting from opioid overdose in Louisiana.

 

aca

By Brian R. Carnie

On Friday, November 18, 2016, the IRS announced an automatic extension of the Affordable Care Act deadlines for distributing the 1094-B/1095-B and 1094-C/1095-C forms to employees. This relief gives applicable employers an additional 30 days (from January 31, 2017 to March 2, 2017) to deliver these forms to employees. This relief only applies for the 2016 reporting year.

The IRS did not change the deadlines for filing the Forms 1094 and 1095 with the agency. The deadline for filing these forms by mail is February 28, 2017. Employers filing electronically have until March 31, 2017.

Similar to 2015, the IRS also announced it would not penalize employers for incorrect or incomplete forms for 2016 as long as they make good faith efforts to comply. This relief is not available for covered employers who fail to timely file the forms. Although there is much talk about repealing and replacing the ACA once the new administration takes office, until Congress acts (which likely won’t happen until after the 2016 reporting deadlines have passed) we recommend that employers comply with the current requirements to avoid unnecessary penalties or fines.

Stay tuned for future anticipated changes!

tteleme

By Jennifer J. Thomas

During the 2016 regular Legislative session, the Louisiana Legislature amended and reenacted several statutes relative to the practice of telemedicine. Under the prior legislation, a physician was required to conduct an in-person patient history and physical exam before engaging in a telemedicine encounter.   Now, a physician who is either licensed in the state of Louisiana or has a Louisiana telemedicine permit may treat a patient residing in Louisiana via telemedicine if: the physician has access to the patient’s medical records; creates his or her own medical record on the patient; and, if necessary, provides a referral to a physician in Louisiana or arranges for follow-up care in Louisiana as may be indicated.   Another change is that the physician is no longer required to utilize video to communicate with the patient, and instead can use interactive audio (i.e. telephone) if, after accessing and reviewing the patient’s medical records, the physician determines that he is able to meet the same standard of care as if the healthcare services were provided in person.

The Legislature also enacted a new statute, La. R.S. 37:1271.1, to provide for conditions and authorizations relative to the practice of telemedicine at Louisiana licensed healthcare facilities that hold a current registration with the U.S. Drug Enforcement Administration. If a physician uses telemedicine to treat a patient at the facility, the physician, using the same standard of care as if the healthcare services were provided in person, can prescribe a controlled substance without conducting an in-person patient history or physical exam. For example, this revision to the law will permit a physician to prescribe controlled substances to a hospitalized patient via telemedicine without prior in-person contact with the patient.

The Legislature instructed the Louisiana healthcare licensing boards to promulgate Rules consistent with the statutory amendments. On October 20, 2016, the Louisiana State Board of Medical Examiners responded by issuing a Notice of Intent to revise its Rules to conform to the amendments. The LSBME’s proposed revisions incorporate the statutory changes identified above. The physician will no longer be required to conduct an in-person visit, but must be able to refer the patient to another physician in Louisiana or arrange for follow-up care in Louisiana if required by the standard of care. Additionally, the LSBME proposes to remove the current requirement that a physician practicing medicine by telemedicine have a physical practice location in the state or have an arrangement with a physician who maintains a physical practice location in Louisiana to accept patients on referral and for follow-up care.   However, a physician will be required to identify on the application for a telemedicine permit the primary locations from which telemedicine will be utilized by the physician.

The LSBME’s proposed Rules impose two changes affecting documentation of telemedicine encounters. First, the record maintained by the physician must clearly state that the patient encounter occurred via telemedicine. Second, the medical record must be made available to the LSBME upon request.

With regard to controlled substances, the LSBME proposed Rules incorporate the new statutory exception for prescribing to patients being treated in licensed healthcare facilities, but maintains the prohibitions against prescribing controlled substances via telemedicine for the treatment of non-cancer related chronic or intractable pain or obesity.

The LSBME is accepting written comments on the proposed rule amendments until November 21, 2016.   If requested, a public hearing will be held on November 28, 2016 at 1:30 a.m. at the LSBME office to consider data, views, arguments, information or comments from the public. The amendments to the Rules will not become final until the Legislative oversight process is complete and the Final Rules published in the Louisiana Register.

 

medical

By Jennifer J. Thomas

The Centers for Medicare and Medicaid Services, Office of the Inspector General (“OIG”) published a Proposed Rule in the September 20, 2016 Federal Register that would change the structure and expand the authority of State Medicaid Fraud Control Units (“MFCU”). The OIG wants to change the Federal participation in the costs attributable to establishing and operating a MFCU as well as incorporate into the rule statutory and policy changes that have occurred since 1977. Those changes include:

  1. raising the Federal matching rate for ongoing operating costs from fifty (50) to seventy-five (75) percent;
  2. establishing a Medicaid State plan requirement that a State must operate an “effective MFCU”;
  3. establishing standards under which MFCUs must be operated;
  4. allowing MFCU’s to seek approval from the Inspector General to investigate and prosecute violations of State law related to fraud in any aspect of the provision of health care services under any Federal health care program, including Medicare, as long as the fraud is primarily related to Medicaid; and
  5. giving MFCUs the option to investigate and prosecute patient abuse, neglect, or misappropriation of patient funds regardless of whether the providing facility receives Medicaid payments.

The Proposed Rule adds or revises several definitions to expand the authority of the MFCU to prosecute. For example, “board and care facility” would be added so that under item (5) listed above the MFCUs investigative authority would now include complaints of abuse or neglect at facilities at non-Medicaid assisted living facilities. The definition of “provider” would be amended to include those who are required to enroll in a State Medicaid program, such as ordering and referring physicians. The intent of this amendment is to clarify the providers who are not furnishing items or services for which payment is claimed directly under Medicaid, such as those providers enrolled in managed care, can be the subject of a MFCU investigation and prosecution. A definition of “fraud” is to be added to clarify the MFCU’s authority to investigate and prosecute both criminal and civil fraud.

The Proposed Rule would change MFCU staffing requirements to require all employees, whether part-time or full-time, to devote their “exclusive effort” to MFCU functions. Each MFCU must employ a director who would supervise all MFCU employees. The MFCU must be a “single identifiable entity in State government” and would operate under its own budget separate from that of its parent agency.

All MFCU’s under the Proposed Rule would be required to submit all convictions to the OIG for purposes of program exclusion within 30 days of sentencing. MFCUs would also be required to make information on investigations involving the same suspects or allegations to the OIG investigators and attorneys.  If the MFCU discovers an overpayment made to a provider or facility, the MFCU must either recover the overpayment or refer the matter to the proper State agency for collection.

The MFCU changes outlined in the Proposed Rule are not yet final. Any person can submit comments to the OIG by 5:00 p.m. Eastern Standard Time on November 21, 2016. If the changes in the Proposed Rule are made, it could result in increased investigations and prosecutions by State MFCUs against a broader scope of providers and facilities.

row of bottles and pills on a chemists counter

By Jennifer J. Thomas

The Louisiana Board of Pharmacy promulgated a Final Rule on September 20, 2016 giving Louisiana licensed pharmacists the authority to perform medication synchronization and refill consolidation services for their patients.   Under the Rule, the pharmacist may adjust the dispensing quantity and refill schedule for multiple medications so that all of the patient’s medications can be dispensed on the same day each month ultimately reducing the number of trips a patient has to make to the pharmacy.

While the pharmacist may adjust the quantity or refill schedule originally ordered by the prescribing physician, the pharmacist cannot dispense more than the total quantity of the original prescription plus refills. For example, if the original prescription was for thirty (30) pills taken over thirty (30) days with three (3) refills, the total quantity of pills would be one hundred and twenty (120) pills. With refill consolidation, the pharmacist can adjust the quantity to initially dispense 15 pills with refills of 45, 30, and 30 to achieve the same total quantity originally prescribed over the same time period.

If the prescription is for a controlled substance where refills have been authorized by the prescriber, the pharmacist can partially fill the prescription, but cannot exceed the quantity noted on the original prescription. If the prescription is for a Schedule II controlled substance and the pharmacist is unable to supply the full quantity called for in the prescription, the pharmacist may partially fill that prescription; however the remaining portion of the prescription should be dispensed within 72 hours. Otherwise, the pharmacist must notify the prescriber and a new prescription must be written.

The intent of medication synchronization and refill consolidation is to help reduce medication waste and improve medication adherence. According to the Louisiana Board of Pharmacy, there is evidence that patients with simple medication schedules are more likely to actually take their medications. By synchronizing medications prescribed by multiple prescribers such that a patient only has to make one visit to the pharmacy each month, there is also an increased likelihood of reducing transportation costs for the patients.

The Louisiana Board of Pharmacy notified all pharmacies and pharmacists of the new medication synchronization rule on September 21, 2016. Therefore, consumers can now work with their local pharmacists to get all of their prescription medications in sync.

Top view of family paper chain on a doctor desk. Medical worktable with keyboard, blue stethoscope, pills and eyeglasses. Family healthcare, medicine and insurance concept.

By Jennifer J. Thomas

The Louisiana Department of Health issued two Emergency Rules in the September 20, 2016 Louisiana Register amending licensing standards governing Pediatric Day Health Care Facilities in an effort to avoid a budget deficit in the medical assistance program. The Emergency Rules revised the PDHC’s Program description and criteria to provide that in order to receive PDHC services, a Medicaid recipient must not only have a medically fragile condition, but also must have a medically complex condition involving one or more physiological or organ systems and requires skilled nursing and therapeutic interventions performed by a registered nurse or licensed practical nurse on an ongoing basis in order to:

  1. preserve and maintain health status;
  2. prevent death;
  3. treat/cure disease;
  4. ameliorate disabilities or other adverse health conditions; and/or
  5. prolong life.

The above list is new and supersedes the former list of medically necessary interventions that could previously be performed by “professionals” at the PDHC centers, but now require performance by a licensed nurse.

The Emergency Rules further require that a physician must order the PDHC services and prepare a plan of care not to exceed 90 days specifying the frequency and duration of services. The Emergency Rules also changed the requirement that a re-evaluation of PDHC services be performed at least every one hundred and twenty (120) to now mandate that the PDHC’s medical director review the plan of care with the PDHC staff and the prescribing physician every ninety (90) days. The evaluation must include a review of the current plan of care and the provider agency’s documented current assessment and progress toward goals. A face-to-face evaluation must also be held every ninety (90) days by the child’s prescribing physician.

Finally, the Emergency Rules clarify that a parent, legal guardian or legally responsible person providing care to a medically complex child in a home or any other extended care or long-term care facility is not considered a PDHC facility and shall not be enrolled in the Medicaid Program as a PDHC services provider.

The Emergency Rules took effect September 1, 2016, and are expected to reduce expenditures in the Medicaid Program by $527,764.00 in state fiscal year 2016-2017.

mask

By Jessica Engler and Lyn Savoie

Ransomware is here to stay. According to a recent United States Government interagency report, on average, there have been approximately 4,000 daily ransomware attacks since early 2016, which is a 300 percent increase from the approximately 1,000 daily ransomware attacks reported in 2015.[1] A significant percentage of those affected by ransomware have been healthcare providers who are subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

Ransomware is a form of malware that targets a user’s critical data and systems in order to extort payment for restoration of the data or system. After the user is locked out of their system, the perpetrator will demand a ransom payment in order to have the data restored. Else, the data will be deleted or permanently encrypted. After the user sends payment, the perpetrator will provide the victim an avenue to regain or access the data.

The healthcare industry is particular vulnerable to this cyber activity because ransomware can block access to electronic medical records, which can disrupt patient care.[2] In February, attackers held data belonging to the Hollywood Presbyterian Medical Center in Los Angeles for ransom using a piece of ransomware called “Locky.” The hospital remained offline for over a week until hospital officials caved to the demands and paid the equivalent of $17,000 in Bitcoin.[3] Other hospitals and healthcare providers have faced similar attacks.[4] According to new research by Solutionary, an Omaha-based security firm, healthcare organizations were 114 times more likely to be hit by ransomware infections than financial firms, and 21 times more likely than educational institutions.[5] This increase of attacks and threat to healthcare records caused lawmakers to push the U.S. Department of Health & Human Services (“HHS”) for guidance regarding ransomware cybersecurity attacks—particularly on the points of reporting attacks and whether such attacks are considered a violation of HIPAA.

On July 11, 2016, the Office for Civil Rights (“OCR”) issued new guidance on how to handle ransomware attacks under HIPAA. This new guidance discusses how the security requirements under HIPAA can help organizations prevent, detect, and recover from ransomware attacks. The OCR guidance expressly provides that the presence of ransomware on a computer system is a “security incident” under the HIPAA Security Rule and, therefore, an entity impacted by such ransomware must initiate security incident and response and reporting procedures.  Additionally, the OCR guidance addresses whether a ransomware infection is considered a “breach” under HIPAA.

Whether or not the presence of ransomware will constitute a breach is a case-by-case determination. The HIPAA Rules define a “breach” as “the acquisition, access, use, or disclosure of Protected Health Information (“PHI”) in a manner not permitted under the [HIPPA Privacy Rule] which comprises the security or privacy of the PHI.”[6] In cases where electronic PHI is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was accessed and is consequently an impermissible disclosure under the HIPAA Privacy Rule. The entity must then comply with the applicable notification provisions under the HIPAA Breach Notification Rules, including notifying the affected individuals, the Secretary of HHS, and (if the breach affects more than 500 individuals) the media.[7]

Pursuant to the HIPAA Breach Notification Rule, a breach is presumed to have taken place unless the entity suffering the attack can show that there is a “low probability that the PHI has been compromised.”  To make such a determination, the entity must perform a risk assessment that considers, at a minimum, the following four factors:

  • The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom disclosure was made;
  • Whether PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.[8]

In its recent guidance document, OCR encourages entities to consider additional factors, such as the high risk of unavailability of the data or a high risk to data integrity.[9] This risk assessment must be thorough, completed in good faith, and reach conclusions that are reasonable given the circumstances. Further, the covered entity and business associates must maintain supporting documentation regarding the breach assessment—and, if applicable, notification—process, including documentation of: (1) the risk assessment demonstrating the conclusions reached; (2) any exceptions determined to be applicable to the impermissible use or disclosure of the PHI; and (3) all notifications that were made, if applicable.[10] Outside of this guidance, it is undetermined at this time what will satisfy the OCR that a particular ransomware attack qualifies as having a “low probability of harm.”

The full OCR guidance can be found on the HHS’s website, which also includes recommendations for protection of data in order to prevent a breach, as well as response and recovery from the ransomware attack.[11] It should be noted that this new guidance does not create new law. Rather, it is a clarification by OCR of federal law that has been in place since 2013, meaning that entities subject to HIPAA that have suffered a ransomware attack in the past three years may need to determine whether they need to report the incidents.

Data breaches are serious incidents. They can be even more serious and dangerous when patients’ medical records and medical care are at stake. It is recommended that healthcare entities, as well as their HIPAA business associates, consult with an attorney to ensure compliance with HIPAA before a breach happens, as well as immediately after a potential breach is discovered, to perform the proper due diligence and move in the right direction towards compliance and recovery.

_____________________________________________

[1] United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, Justice.gov (available at https://www.justice.gov/criminal-ccips/file/872771/download).

[2] Kim Zetter, Why Hospitals are the Perfect Targets for Ransomware, Wired.com (13:31:00, Mar. 30, 2016) (available at https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/).

[3] Id.; Joseph Conn, Hospital Pays Hackers $17,000 to Unlock EHRs Frozen in ‘Ransomware’ Attack, Modern Healthcare (Crain Communications, Inc., Feb. 18, 2016) (available at http://www.modernhealthcare.com/article/20160217/NEWS/160219920).

[4] See, e.g., Bill Siwicki, Ransomware Attackers Collect Ransom from Kansas Hospital, Don’t Unlock All the Data, then Demand More Money, Healthcare IT News (HIMSS Media, 14:58:00, May 23, 2016) (available at http://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom); Mike Miliard, Two More Hospitals Struck by Ransomware, in California and Indiana, Healthcare IT News (HIMSS Media, 10:55:00, Apr. 4, 2016) (available at http://www.healthcareitnews.com/news/two-more-hospitals-struck-ransomware-california-and-indiana); Joseph Conn, Patient Data Held for Ransom at Rural Illinois Hospital, Modern Healthcare (Crain Communications, Inc., Dec. 17, 2014) (available at http://www.modernhealthcare.com/article/20141217/NEWS/312179948).

[5] Meg Bryant, Healthcare Orgs at Much Higher Risk of Ransomware Attack Than Financial Institutions, Healthcare DIVE (Industry Dive, Jul. 28, 2016) (available at http://www.healthcaredive.com/news/healthcare-orgs-at-much-higher-risk-of-ransomware-attack-than-financial-ins/423395/); Maria Korolov, Health Care Organizations 114 Times More Likely to Be Ransomware Victims than Financial Firms, CSO (IDG, 5:00:00, Jul. 26, 2016) (available at http://www.csoonline.com/article/3099852/security/health-care-organizations-114-times-more-likely-to-be-ransomware-victims-than-financial-firms.html).

[6] U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).

[7] See 45 C.F.R. 164.400–414.

[8] 45 C.F.R. 164.402(2).

[9] Data integrity is an important consideration in the ransomware context, as many ransomware programs delete the original data and leave only the data in the encrypted form. Eric Schulwolf, HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and are Likely a Data Breach, JD Supra Business Advisor (JD Supra, LLC, Jul. 25, 2016) (available at http://www.jdsupra.com/legalnews/hhs-ocr-guidance-on-ransomware-attacks-11173/).

[10] 45 C.F.R. 164.530(j)(iv), 164.414, 164.402(1).

[11] See U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).

HIPAA

By Lyn S. Savoie

On April 14, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), entered into a $750,000 settlement with a North Carolina orthopaedic clinic arising from the clinic’s disclosure of x-ray films and related protected health information of 17,300 patients to an entity that was engaged by the clinic to transfer x-ray images to electronic media. According to an OCR press release, the clinic released the information to the outside entity without executing a HIPAA business associate agreement, leaving the information “without safeguards and vulnerable to misuse or improper disclosure.” The OCR investigation arose as a result of the clinic’s breach self-report, which was submitted to OCR in 2013.

In addition to payment of the $750,000 fine, the resolution agreement and accompanying corrective action plan entered into between the clinic and OCR also requires the clinic to take the following corrective action steps:

  • provide HHS the names of all of its business associates and copies of the corresponding business associate agreements;
  • revise its policies and procedures regarding business associate to better track its business associate relationships and appoint a responsible individual or individuals to coordinate its business associate arrangements;
  • train all of its workforce members who use or disclose PHI within sixty (60) days following HHS’s approval of its revised business associate policies and procedures and related training materials, and annually thereafter;
  • train all new workforce members on its revised and approved business associate policies and procedures within fifteen (15) days after beginning work for the clinic;
  • for a period of two years, notify HHS within thirty (30) days of any failure by a clinic workforce member to comply with its HIPAA policies and procedures, including the actions taken to address the matter, to mitigate any harm, and to prevent it from recurring, including appropriate sanctions taken against such workforce member;
  • for a period of two years, submit an annual report to HHS regarding its compliance with the terms of the corrective action plan, with an accompanying attestation by an owner or officer of the clinic.

This latest enforcement action reinforces the need for covered entities to accurately identify their business associates and execute HIPAA-compliance business associate agreements prior to disclosure of protected health information to these outside entities.