Tag Archives: medical records

Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now

1 Indest-2008-1By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

3. Have a risk assessment performed on your practice. To learn more about risk assessments, click here for a previous blog.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at http://www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Van Terheyden, Nick and Faix, Rob. “Digital Health Records: Pain and Gain.” Orlando Sentinel. (December 12, 2014). From: The Orlando Sentinel News Section on page A20.

“Beth Israel Agrees To Pay $100K To Settle 2012 Data Breach Case.” iHealthBeat. (November 25, 2014). From: http://www.ihealthbeat.org/articles/2014/11/25/beth-israel-agrees-to-pay-100k-to-settle-2012-data-breach-case?view=print

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.


“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Pediatricians Who Are Targets of Medicaid Audits Should Request Hearings on the Final Audit Report Results

00011_RT8By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

We have recently been contacted by several pediatric practices that were subject to Medicaid audits. In several cases, the pediatricians received the final audit reports (FARs) stating that they owed Medicaid refunds, because of overbillings, in the tens of thousands of dollars.

With such demands for repayment of the alleged overpayments also come:

  1. Fines;
2. Penalties;
3. Requirements to sign agreements to refrain from such practices in the future;
4. Requirements to have personnel retrained; and
5. The specter of future audits.

In many cases, Medicare and Medicaid auditors may swiftly review supporting medical records and overlook key components that support the level of services (or CPT codes) that were billed, erroneously downgrading the code or disallowing the charge completely. Other times the pediatric or medical practice may have only provided partial records and have left out some key records that would support the codes billed.

Challenging the Determination.

Unfortunately, after receipt of the FAR, the only hope of challenging the determination would come by filing a written request or petition for a formal hearing in, specifically, a Medicaid case. In Medicare cases, other interim reviews or appeals are available.

If you have additional records you failed to provide, or if after a thorough review of the records you did provide show that all of the elements of a CPT code you billed (e.g., 99204 or 99205) were documented, then we recommend that you immediately retain the services of a board certified health lawyer experienced with Medicare and Medicaid audits to file a petition for you. Be sure a written request or petition for a formal hearing is filed within the time stated in the letter you receive, even if you must retain an attorney afterwards. Remember that the request must be in writing and must be received by the agency at the address specified before the date in the letter has passed.

You can always work out a settlement agreement, repayment agreement, or agreement for a different resolution of the situation. What you can’t do is to go back and get back your hearing rights after they have expired.

Steps to Take if you Receive Notice of an Audit.

What you should do immediately upon receiving notice of an audit:

 1. Retain the services of a board certified health lawyer who is experienced with such audits.

 2.  In a timely manner, provide all relevant documents pertaining to the audit, properly labeled and pages numbered (note:  in many instances, this may include more than just the minimum documents the audit requested).

 3. Watch for any interim, initial or preliminary audit reports (PARs), and be prepared to rebut it in detail if it requests a refund.

 4. If you receive a FAR demanding a repayment, be prepared to hire a board certified health lawyer who is experienced with such audits, if you have not already done so.

 5. If you disagree with the findings in the FAR, be sure the agency receives your request for a formal hearing to challenge the determination, prior to the date given in the FAR or demand letter.

For additional details, pointers and tips on this subject you may click here to read the prior blog we have published.

For information, details, pointers and tips on the subject of Medicare audits, you may click here to read the prior blog we have published on this.

Comments?

Do you know what to do if you are the target of a Medicaid audit? Did you know about requesting a hearing on the final audit report results? Please leave any thoughtful comments below.

Contact Health Law Attorneys Experienced with Medicare and Medicaid Cases.

Attorneys with The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in Medicare and Medicaid investigations, audits, recovery actions and termination from the Medicare or Medicaid Program. We also handle Medicare audits, ZPIC audits and RAC audits throughout Florida and across the U.S.

Our attorneys also represent health care professionals and health facilities in qui tam or whistleblower cases both in defending such claims and in bringing such claims. We have developed relationships with recognized experts in health care accounting, health care financing, utilization review, medical review, filling, coding, and other services that assist us in such matters. We have represented doctors, nurses and others as relators in bringing qui tam or whistleblower cases, as well.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2014 The Health Law Firm. All rights reserved.

 

HIPAA Fines, Mobile Devices and Risk Assessments: Follow the Steps or Pay the Price

Lance Leider headshotBy Lance O. Leider, J.D., The Health Law Firm

Two separate entities have agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1,975,220 in fines collectively. The settlements resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules involving stolen, unencrypted laptops. These two actions shine a light on the significant risk unencrypted laptops and other mobile devices pose to the security of patient information.

To read the press release from the HHS OCR, published on April 22, 2014, click here.

Concentra Received Risk Assessments, But Did Not Act on Findings.

According to the OCR, an investigation of Concentra Health Services, a subsidiary of Humana, was conducted after a laptop was stolen from a Missouri physician therapy center. This investigation revealed that Concentra had previously received multiple risk analyses that stated the company lacked encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information. Concentra’s efforts to remedy the risk were incomplete and inconsistent, leaving patients’ health information vulnerable. Concentra agreed to pay $1,725,220 to settle potential security violations and adopt a corrective action plan.

QCA Investigation.

The QCA Health Plan, Inc., investigation began in February 2012, after an unencrypted laptop containing the medical records of 148 individuals was stolen from an employee’s car. The investigation revealed that QCA failed to comply with multiple requirements of the HIPAA privacy and security rules. According to Modern Healthcare, the company is required to pay $250,000, as well as provide HHS with an updated risk analysis and corresponding risk-management plan.

Click here to read the entire article from Modern Healthcare.

Encrypt Laptops and Other Equipment or Pay the Price.

Encryption is one of your best defenses against incidents. These two settlements highlight the need for all entities to encrypt their laptops and other devices. Failing to do so may put that entity at risk for paying a large fine to the OCR and possible fines for state law violations.

HIPAA-covered entities are responsible for making sure all personal information is protected.

The following are some practical tips to use when handling protected health information. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work site. If you need to work on it remotely, use a secure, encrypted internet connection to access your work database. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at http://www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Are the laptops and other mobile devices at your practice encrypted? Does your practice regularly perform HIPAA risk assessments? Please leave any thoughtful comments below.

Sources:

Conn, Joseph. “Unencrypted-Laptop Thefts at Center of Recent HIPAA Settlements.” Modern Healthcare. (April 23, 2014). From: http://www.modernhealthcare.com/article/20140423/NEWS/304239945/unencrypted-laptop-thefts-at-center-of-recent-hipaa-settlements

U.S. Department of Health and Human Services Press Office. “Stolen Laptops Lead to Important HIPAA Settlements.” U.S. Department of Health and Human Services. (April 22, 2014). From: http://www.hhs.gov/news/press/2014pres/04/20140422b.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Data Breach at Colorado Hospital Highlights IT Security Risks

Lance Leider headshotBy Lance O. Leider, J.D., The Health Law Firm

A small rural hospital in Glenwood Springs, Colorado, has identified a virus on its computer network that had captured and stored screen shots of protected health information in a hidden file system. The hidden folder was created on Sept. 23, 2013, but was not discovered until Jan. 23, 2014. The breach identified at least 5,400 individual patients whose information was compromised.

According to Healthcare IT News, among the stolen data was patient names, addresses, dates of birth, telephone numbers, Social Security numbers, credit card information, and admission and discharge dates.

Hospital officials have been unable to determine how the virus was loaded onto the hospital network, according to Healthcare IT News. Consequently, officials believe that there is “very high” probability that the data had been accessed by an outside entity.

To read the entire article from Healthcare IT News, click here.

Take Steps to Secure Your Network.

Breaches of this kind are not solely confined to hospitals and large providers. In fact, it may be that this hospital was targeted because it was a smaller provider in a rural area with easier access to its systems.

Viruses like the one in question could be loaded onto systems as a result of an outside attack (think hackers) or through inside means like a flash drive or deliberately opening an infected e-mail.

It is imperative that a Health Insurance Portability and Accountability Act (HIPAA) covered entity have an effective cyber security plan. Make sure that you have up-to-date anti-virus software and that your computers are secure from access by unauthorized personnel like cleaning crews or patients and their families. Also, meet with your IT professional to discuss security measures you can put in place such as restricting access and accessibility to certain files or the ability to download programs and applications to essential staff only.

Hacked data represents a growing share of HIPAA breaches. It is imperative that covered entities ensure their compliance with HIPAA to avoid any sanctions by the Office for Civil Rights (OCR). To date, the OCR has collected in excess of $18 million in fines and penalties for failures to secure patient information.

Get a Risk Assessment.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs), please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Do you think it is likely that this hospital was targeted because it was a smaller provider in a rural area? Do you think a HIPAA risk assessment could have helped this practice avoid a breach? Please leave any thoughtful comments below.

Sources:

Harvey, Nelson. “Hospital Database Hacked, Patient Info Vulnerable.” Aspen Daily News. (March 15, 2014). From: http://www.aspendailynews.com/section/home/161578

McCann, Erin. “Small-Town Hospital Gets Hacked.” Healthcare IT News. (March 17, 2014). From: http://www.healthcareitnews.com/news/small-town-hospital-gets-hacked

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Dermatology Practice Settles with Government After Stolen USB Drive Results in HIPAA Breach

10 Indest-2008-7By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and Adult & Pediatric Dermatology (APDerm), reached a $150,000 settlement for privacy and security violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to an unencrypted USB drive that was stolen. The thumb drive contained the protected health information (PHI) of around 2,200 patients, according to a press release posted December 26, 2013, on the HHS website.

According to the HHS, this is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

APDerm delivers dermatology services to patients in Massachusetts and New Hampshire.

Alleged Violations Stemmed from Stolen, Unencrypted USB Drive.

According to the HHS, the OCR initiated its investigation after being tipped off that an unencrypted thumb drive containing the PHI of about 2,200 patients was stolen from a vehicle of an APDerm staff member. According to Healthcare IT News the thumb drive was never recovered.

The investigation allegedly revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of it security management process. It’s also alleged that APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train staff members.

According to Healthcare IT News, the settlement also includes a corrective action plan (CAP). The CAP requires the dermatology company to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. Click here to read the entire article on Healthcare IT News.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is protected. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them, selling them or trading them in on newer models.

To read a previous blog on Affinity Health Plan settling with government in photocopier HIPAA breach incident, click here.

Practical Tips.

The following are some lessons learned from this case. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work cite. If you need to work on it remotely, use a secure, encrypted internet connection to access your work data base. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at http://www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Millard, Mike. “Lost Thumb Drive Leads to $150K Fine.” Healthcare IT News. (December 30, 2013). From: http://www.healthcareitnews.com/news/lost-thumb-drive-leads-150k-fine

U.S. Department of Health and Human Services “Dermatology Practice Settles Potential HIPAA Violations.” HHS.gov. (December 26, 2013). From: http://www.hhs.gov/news/press/2013pres/12/20131226a.html

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Two Laptops Containing Information of 729,000 Patients Stolen from California Hospital Group

6 Indest-2008-3By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The personal health information of around 729,000 patients has been compromised following the theft of two laptops. The password-protected computers were taken from an administration building of AHMC Healthcare Inc., a hospital group in Alhambra, California. According to the Los Angeles Times, the laptops contain data from patients treated at six different AHMC Healthcare hospitals. Surveillance video shows that the theft occurred on October 12, 2013, but hospital officials did not discover the laptops were missing until two days later.

To read the article from the Los Angeles Times, click here.

Laptops Contain Patient Information, But No Evidence Information Has Been Hacked.

According to the hospital group, the laptops contain data including patients’ names, Medicare/insurance identification numbers, diagnosis/procedure codes, and insurance/patient payment records. Some of the files allegedly contain the Social Security numbers of Medicare patients.

So far, there is no evidence the information has been accessed or used, according to the CBS affiliate in Los Angeles. Click here to read the article from the CBS affiliate.

However, given that this just occurred a few days ago, it is probably too early to tell, anyway.

Breach Must Be Reported to the Department of Health and Human Services.

Hospitals are required, under federal law, to report potential medical data breaches involving more than 500 people to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR is responsible for investigating all allegation of violations of HIPAA Privacy and Security Regulations.

According to the Los Angeles Times, AHMC Healthcare has already asked for an auditing firm to perform a security risk assessment. Hospital administrators are also expediting a policy to encrypt all laptops.

HIPAA Omnibus Final Rule Effective September 23, 2013–Get a Risk Assessment.

The HIPAA Omnibus Final Rule went into effect on September 23, 2013. By now, hospitals, physicians and all covered entities must comply with the HIPAA Omnibus Final Rule. The amendments to the rule are available on the HHS OCR website. I previously wrote a blog series about the HIPAA Omnibus Final Rule. Click here for part one, click here for part two and here for part three.

Covered entities should be performing HIPAA risk assessments to identify their security risks and implement protections before a data breach occurs. HIPAA has always required covered entities to perform HIPAA risk assessments. Very often, the first question the OCR asks when investigating a possible HIPAA violation is what risk assessment the health care provider has performed.

The objectives of an adequate HIPAA risk analysis are:

1. Identify the scope of the analysis – the analysis should include all the risks and vulnerabilities to the confidentiality, availability and integrity of all electronic health information regardless of its location.
2. Gather data – the covered entity must identify every location where electronic data is stored.
3. Identify and document potential threats and vulnerabilities – the covered entity should consider natural threats, human threats and environmental threats.
4. Assess current security measures – the covered entity must examine and assess the effectiveness of its current measures.
5. Determine the likelihood of threat occurrence – the covered entity should evaluate each potential threat and prioritize its plan to address each threat.
6. Determine the potential impact of threat occurrence – the covered entity should assess the possible outcomes of each identified threat such as unauthorized disclosure of confidential information.
7. Determine the level of risk – the covered entity should categorize each risk and plan its procedures to mitigate any damage cause by each risk.
8. Identify security measures and finalize documentation – the covered entity should thoroughly document all the steps it used in its risk assessment process.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think if this alleged HIPAA violation? Do you have policies and procedures in place to protect your patients’ right to privacy? Have you received a HIPAA risk assessment lately? Please leave any thoughtful comments below.

Sources:

Winton, Richard. “Laptop Thefts Compromise 729,000 Hospital Patient Files.” Los Angeles Times. (October 21, 2013). From: http://www.latimes.com/local/la-me-hospital-theft-20131022,0,1936078.story#axzz2iRg6Rh3Y

Los Angeles CBS. “Laptops Containing Patient Information Stolen from Alhambra Hospital.” Los Angeles CBS. (October 22, 2013). From: http://losangeles.cbslocal.com/2013/10/22/laptops-containing-patient-information-stolen-from-alhambra-hospital/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

New Requirements Released for Physician Medical Records Related to Compounded Medications

MLS Blog Label 2By Michael L. Smith, R.R.T., J.D., Board Certified by The Florida Bar in Health Law and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On September 5, 2013, the Florida Board of Medicine and the Florida Board of Osteopathic Medicine published new requirements for medical record documentation related to compounded medications administered to patients in an office setting.  These standards become effective September 9, 2013. The standards are contained in Florida Administrative Code Rules adopted by each board.

We believe the updated requirements are a result of the recent recalls of tainted compounded medications that have spread across the country and infected thousands of patients. These new standards will make it easier for health care professionals to trace drug reactions and spot tainted batches of medications quickly. The new changes apply to the exact documentation required anytime a compounded medication is administered to a patient.

For the Florida Board of Medicine this is an update to Rule 64B8-9.003, Florida Administrative Code. For the Florida Board of Osteopathic Medicine this is an update to Rule 64B15-15.004, Florida Administrative Code.

New Medical Records Standards.

According to the Florida Board of Medicine and the Florida Board of Osteopathic Medicine, when compounded medications are administered to a patient in the office the medical record documentation must contain, at a minimum:

1.  The name and concentration of medication administered;
2.  The lot number of the medication administered;
3.  The expiration date of the medication administered;
4.  The name of the compounding pharmacy or manufacturer;
5.  The site of administration on the patient;
6.  The amount of medication administered; and
7.  The date the medication was administered.

New Standards Most Likely Triggered by Tainted Compounded Medications.

These new standards are being implemented about a year after a nationwide outbreak of fungal meningitis linked to contaminated drugs made by a compounding pharmacy in Massachusetts. Click here to read our previous blog. Florida is no stranger to allegations of tainted compounded products. In May 2013, Franck’s pharmacy in Ocala, Florida, was accused of distributing eye medications that contained a fungal infection. Click here for the first blog and here for the second blog on this.

It’s likely these updated requirements are a direct result of the recent issues with compounded medications and compounding pharmacies. In the event a health care professional’s office receives a batch of tainted compounded medicine, these medical record standards will help the health care professional track which patients received the tainted medications. Also, authorities, such as the Department of Health (DOH) and U.S. Food and Drug Administration (FDA), will be able to easily track and send recalls to the offices that receive tainted compounded medications.

Contact Health Law Attorneys Experienced in the Representation of Health Professionals and Providers.

The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, pain management doctors, dentists, pharmacists, psychologists and other health providers in Department of Health (DOH) investigations, Drug Enforcement Administration (DEA) investigations, FBI investigations, Medicare investigations, Medicaid investigations and other types of investigations of health professionals and providers.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

Had you heard of these updates? Do you think these requirements will help officials track tainted medications? Please leave any thoughtful comments below.

About the Authors: Michael L. Smith, R.R.T., J.D., is Board Certified by The Florida Bar in Health Law. He is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.