This week, the OCR announced another HIPAA settlement based on a provider’s failure to have a Business Associate Agreement in place before disclosing PHI to a third party business vendor.
OCR had initiated an investigation of Raleigh Orthopaedic Clinic, P.A. of North Carolina following receipt of a breach report which revealed a release of protected health information (PHI) without first having a business associate agreement (BAA) in place. Continue reading
The Office for Civil Rights (OCR) announced on March 16, 2016, that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle allegations that it violated the HIPAA Privacy and Security Rules by failing to implement a Business Associate Agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. The OCR initiated an investigation of North Memorial following receipt of a breach report that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. Continue reading
Physician practices should pay attention to the recent reports released by the Department of Justice (DOJ), OIG and other agencies regarding their enforcement actions in 2015 and priorities in 2016. These reports and recent settlements reveal hot compliance areas that physician practices should focus on in 2016.
The following are some of the hot compliance areas in 2016 for physician practices based on recent reports such as the DOJ Health Care Fraud and Abuse Control Program Annual Report for 2015 and settlements and other enforcement actions involving physicians. Continue reading
On February 25, 2016, the Office of Civil Rights, which enforces the HIPAA privacy rules, released lengthy guidance on a patient’s right to access their medical records under 45 CFR §164.524. The link to the guidance is http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. The publication also includes a number of FAQs addressing copy fees, including “What labor costs may a covered entity include in the fee that may be charged to individuals to provide them with a copy of their PHI?”, “How can covered entities calculate the limited fee that can be charged to individuals to provide them with a copy of their PHI?”, and “When do the HIPAA Privacy Rule limitations on fees that can be charged for individuals to access copies of their PHI apply to disclosures of the individual’s PHI to a third party?”
Providers will get a sense for OCR’s perspective from the following FAQ comment, “Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge.”
BSW is planning a webinar in the near future on this guidance. If you’d like to receive notice of that webinar, please contact Sharon.Stickling@bswllp.com.
Written by: Greg Frost
On Friday, February 12, 2016, the Centers for Medicare and Medicaid Services (CMS) issued the final overpayment reporting and refunding rule for Medicare Parts A and B overpayments (Final Rule). This Final Rule adopts federal regulations to implement Section 6402(a) of the Affordable Care Act (ACA) enacted in March 2010 that requires the identification, reporting and refunding of certain overpayments from the Medicare and Medicaid programs (the “Overpayment Law”). CMS had previously issued a proposed rule in February 2012 containing regulations to implement the Overpayment Law, which raised several questions and compliance challenges by physicians and other health care providers. Continue reading
bswhealthlaw.com 