HIPAA Amendment Purports to Strengthen the National Instant Criminal Background Check System (NICS) – Part I

Posted on January 6, 2016 by BSW

The Department of Health and Human Services issued a final rule modifying HIPAA. The modification expressly permits certain limited “covered entities” to disclose to the NICS the identities of individuals who are subject to a Federal “mental health prohibitor” that disqualifies them from shipping, transporting, possessing, or receiving a firearm. The scope of the amendment is narrow in that it authorizes the disclosure of “only the limited demographic and certain other information needed for purposes of reporting to the National Instant Criminal Background Check System” and specifically prohibits the disclosure of diagnostic or clinical information. Further, very few covered entities will be impacted by this amendment. The amendment authorizes the limited disclosure only if the covered entity is “a State agency or other entity that is, or contains an entity that is: (A) An entity designated by the State to report, or which collects information for purposes of reporting, on behalf of the State, to the National Instant Criminal Background Check System; or (B) A court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to become subject to 18 U.S.C. 922(g)(4).”

The Final Rule is available for review at https://federalregister.gov/a/2015-33181.

Written by: Jacob Simpson

Hospital Liability for Employee HIPAA Breaches

Posted on February 13, 2015 by BSW

A hospital employee, who has been “HIPAA-trained” and admits to knowing better, accesses his ex-wife’s new boyfriend’s medical records and posts sensitive information on social media. Is the hospital liable for the employee’s actions?

First, assume that the hospital did nothing wrong. That requires the assumption that the employee was adequately trained, that the employee’s job required that he have access to this data, and that there was no way to otherwise limit the employee’s access. Continue reading →

The Intersection of HIPAA and Negligence: Pharmacist’s Violation Cost Walgreens $1.44 Million

Posted on December 12, 2014 by BSW

On November 14, 2014, the Court of Appeals of Indiana affirmed a $1.44 million judgment against Walgreens Company based on a HIPAA violation committed by a Walgreens pharmacist. Walgreen Co. v. Hinchy, 2014 WL 6130795 at *1 (Ind. Ct. App. 2014). In Walgreen Co. v. Hinchy, Walgreens’ pharmacist Audra Withers looked up the prescription information of Walgreens’ customer Abigail Hinchy. Withers then used the prescription information of Hinchy for personal reasons, which allegedly included allowing Withers’ husband to use the private information to pressure Hinchy into not asking Withers’ husband for child support. Upon figuring out how Withers’ husband obtained the private information, Hinchy contacted Walgreens’ regional office to report the matter.

During the investigation, Withers admitted to purposely accessing the information for personal use. Walgreens confirmed to Hinchy that a HIPAA violation had occurred. Id. Per Walgreens, “Withers received a written warning and was required to retake a computer training program regarding HIPAA.” Continue reading →

OCR Bulletin: Ebola and HIPAA Privacy in Emergency Situations

Posted on November 21, 2014 by BSW

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently released a bulletin, HIPAA Privacy in Emergency Situations, reminding covered entities and their business associates that the protections of the HIPAA Privacy Rule are not set aside during an emergency. OCR explains that Privacy Rule is balanced to ensure that appropriate use and disclosures of protected health information (PHI) may still be made when necessary to treat a patient, protect the nation’s public health, and for other critical purposes. The bulletin further details the HIPAA Privacy Rule provisions which may allow covered entities and business associates to use or disclose PHI during an emergency.

HIPAA and Baby Photo Boards

Posted on August 26, 2014 by BSW

As the NY Times article and related AOL video demonstrate (links below), baby photographs are protected to the same extent as medical records, Social Security Numbers and other types of individually identifiable information. The Health Insurance Portability and Accountability Act (HIPAA) protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. This is known as “protected health information (PHI).” See 45 C.F.R. § 160.103. Continue reading →