How to Protect Your Practice’s Trade Secrets

Posted on November 8, 2016 by jlcohen

dreamstimemaximum_51887081-flip By: Shobha Lizaso

“Prevention is better than cure” is a maxim that has reigned in the healthcare industry for thousands of years; however, this phrase echoes through the halls of the legal profession as well.

Healthcare practices often neglect to appreciate the value of their confidential information as assets and the need to protect these assets. Although HIPAA and HITECH compliance aids in maintaining the confidentiality of patient records, it does not protect a provider’s trade secrets.

Trade secrets of a healthcare practice may include any of the following: patient lists, financial information, contract rates, contract terms client lists, collection rates, marketing tactics, pricing/discount information, and methods of doing business. If leaked, this information may be used by competitors to secure advantages over a healthcare practice. For example, patient lists could be used to solicit a practice’s patients or contract rates and terms can be used by a competitor to undercut the rates of a practice. Continue reading →

Docs, You’ve Been Hacked. What’s Next?

Posted on August 11, 2016 by jlcohen

HIPAA By: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information. The news headlines showcase giant penalties for violations. However, Florida health care providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act. So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure? Responses vary based on the situation presented, but below is a good jumping off point: Continue reading →

Out of Network VOB Process Hits a Speedbump

Posted on June 15, 2016 by jlcohen

VOB By: Urgent Medical Billing, Guest Contributor

The verification process is an important step in the billing cycle. When done correctly the patient’s “VOB” will allow a healthcare provider to quickly determine if they can accept the patient for treatment or not. A good verification will tell a provider the general information about a patient’s insurance policy such as the deductible, the co-insurance and the out of pocket maximum. A very good verification will also include accreditation requirements, information on who would receive the payment for services, correct claims addresses for professional and facility charges and more. The quicker a verification is done, the sooner a patient can be brought into treatment. Speed and accuracy is the name of the game when it comes to insurance verification and United Healthcare, until very recently, was one of the quickest policies for an Insurance Verification Specialist to work with. Continue reading →

What is FIPA and How Is FIPA Different From HIPAA?

Posted on March 15, 2016 by jlcohen

By: Jackie Bain

FIPA is the Florida Information Protection Act of 2014. It became elective on July 1, 2014. Many people consider FIPA to be Florida’s state law counterpart to the Federal Government’s Health Information Protection and Administration Act of 1996 (“HIPAA). However, FIPA is, in many respects, more far reaching than HIPAA. Those who transact business in the State of Florida are well-served to be knowledgeable about FIPA.

FIPA affects more than just health care providers and those in the healthcare industry. Under FIPA, any business that acquires, stores, maintains or uses personal information must take reasonable measures to safeguard that information. “Personal information” includes the use of a person’s first and last name (or first initial and last name) in conjunction with his or her social security number, driver’s license or other government identification number, bank account number, credit or debit card number and password or pin, medical history, or health insurance policy number. A convenience store that might have access to a person’s name and credit card number is just as accountable under FIPA as a hospital who might store that person’s medical history and insurance information. Continue reading →

Physician Communications: Considerations for Using Text Messages and Social Media

Posted on March 6, 2015 by jlcohen

By: Jackie Bain

It is becoming easier and easier for physicians to communicate with each other and their patients. And although open communication is generally thought of as positive, the medical profession should proceed with caution. Patients and consulting physicians rely heavily on their communications with their treating physicians. Thus, communications which do not require the thought of focus that a physician would otherwise give to a situation may result in disaster. While there are many potential ways a physician might use text messaging and social media both professionally and personally, we will focus generally on physician interactions with other physicians, and physician interactions with patients.

To start, physicians should be aware that, in 2011, the American Medical Association issued guidelines in its Code of Ethics for physicians who use social media: Continue reading →

Florida Clinical Labs Must Now Give Patients Direct Access to Their Laboratory Test Results

Posted on February 11, 2014 by jlcohen

By: David Hirshfeld

In an effort to help individuals access their health information so that they can become more actively involved in managing their own health care, several agencies within the Department of Health and Human Services promulgated a rule that modifies the Clinical Laboratory Improvement Amendments (“CLIA”) and the Health Insurance Portability and Accountability Act (“HIPAA”) in a way that supersedes Florida State laws governing the disclosure of laboratory test results directly to patients.

Continue reading →

HIPAA Stings Dermatology Practice

Posted on January 8, 2014 by jlcohen

The US Department of Health and Human Services, Office of Civil Rights is the chief enforcer of HIPAA. The Office’s recent enforcement of HIPAA with respect to a Massachusetts derm practice is illustrative of how the government views HIPAA and how vulnerable medical practices are. Continue reading →

HIPAA Omnibus Final Rules and Penalties

Posted on March 18, 2013 by jlcohen

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year

(A) Did Not Know(B) Reasonable Cause

$100-$50,0001,000-50,000

10,000-50,000

50,000

$1,500,0001,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.

FTC Interim Final Red Flags Rule a Reprieve for Health Care Providers

Posted on December 11, 2012 by jlcohen

By: Rodger Hochman, Board Certified in Health Law

On November 30, 2012, the Federal Trade Commission (FTC) issued its interim final “Red Flags Rule” which narrowed the definition of “creditor” in such a way that essentially confirms that most health care service providers are not subject to its requirements.

The Red Flags Rule was originally promulgated in reaction to the perceived risk of identity theft in various transactions involving financial institutions and creditors, and it required them to develop and implement a written identify theft program to combat these risks, including internal processes for identifying “red flags” of identity theft. The application of the Red Flags Rule to health care service providers was controversial since it advanced a counterintuitive notion that a provider who engaged in ordinary course business activities, such as rendering health care services where insurance or other payment would be received later, was a “creditor” by definition, thus was equated with the business of financial institutions and subject to standards more applicable to the relationship between commercial creditors or lenders and their customers.

Under the original rule, any “creditor” was required to establish an identity theft program. The definition included “any person who regularly extends, renews, or continues credit…” The FTC interpreted this expansively to include physicians and other providers who accept insurance as payment or who permit payment plans, where payment in full was not received at the time of service. Thus, if a physician or hospital were to accept a patient’s insurance coverage or bill the balance not covered by insurance to the patient, that was viewed as an extension of credit to the patient which triggered regulatory compliance obligations by the provider. Although the FTC later clarified its position in saying that it applied only to creditors that regularly and in the ordinary course of business advance funds, there was still some ambiguity.

The interim final rule now makes clear that advancing funds does not include what is routine health care services billing and collection activities (such as deferring payment of fees in connection with providing services) and that most service providers are not subject to the rule. Nevertheless, while the interim final rule confirms that most providers are not subject to the Red Flags Rule, entities that collect consumer data should still carefully consider how they collect and use such data. To the extent that they use or provide patient information in connection with credit reporting services, the Red Flags Rule would apply. Further, health care providers remain subject to the HIPAA/HITECH privacy and security rules with respect to all patient identifying information regardless of whether they are subject to the Red Flags Rule.

Perceived Risk Outweighs Actual Harm in Assessing $1.5M HIPAA Fine

Posted on October 22, 2012 by jlcohen

The Office of Civil Rights’ recent assessment of a $1.5 million fine for HIPAA violations should be a shrill wakeup call to all health care organizations that use (or allow their physicians to use) portable devices containing patient identifiable information. The sanction stems from a physician’s lost laptop computer containing protected health information (ePHI).

Importantly, the OCR’s investigation could not establish whether ePHI was used or even accessed, partly because the device was lost in a foreign country. However, it was not necessary to definitively conclude if any data had been compromised; the OCR was more concerned that the offending provider had not implemented appropriate measures mandated by the HIPAA Security Rule which could have reduced, mitigated or eliminated the risk altogether. For the OCR, the heart of the matter was the fact that the covered entity failed to fully assess and evaluate the risk to the confidentiality and security of ePHI on portable devices used by its physicians in their personal activities, and failed to have a process to address when such devices are lost. In this case, it was the incident itself that caused the organization to formalize and take responsive measures. The barn door was closed after the horse got out. To the OCR, the covered entity’s reactive, rather than proactive approach, was totally at odds with HIPAA Security Rule concerns and the mandated obligations of covered entities.

The facts are fairly simple. A research physician from a Massachusetts specialty hospital facility was traveling to South Korea to give a lecture when he misplaced his backpack in a public area. A personal laptop, containing health information of several thousand patients, was in the backpack. The computer was eventually “detected” a few weeks later when it was connected to the internet, and its hard drive was later remotely “wiped”, however, the device was not recovered. The incident was then reported to the OCR in accordance with the breach notification requirements of the HIPAA Security Rule.

This is an instructive case for a number of reasons. For one, it is important to recognize that the OCR’s investigation was prompted by the obligatory “breach notification” it received from the provider. The OCR’s inevitable investigation in turn revealed that there was significant noncompliance with multiple aspects of the Security Rule. Notably, the OCR determined that the covered entity had lax control over, and little knowledge concerning its own physicians’ use of laptops issued to them by the organization. Physicians were permitted unfettered access to the entity’s information, took their devices off-site where they were used for personal activities, and could remotely download information and install applications freely to these personal devices. Further, while the laptop in question was password protected and had “LoJak” tracking and wiping software, encryption was not employed. Further, many weeks passed before a hard drive wipe was effectuated and only after it was determined that the device had been connected to the internet. In short, the OCR concluded that the entity had neither conducted an adequate security assessment nor established necessary policies or procedures addressing laptop use, and had not promulgated an appropriate response procedure. Instead, it reacted to the lost laptop in a scramble of ad hoc activity and only instituted organization-wide changes as a result of this episode.

The most significant issue for the OCR in assessing a $1.5 million fine was not whether the incident caused actual harm to any patient, but the degree of risk of potential harm and whether reasonable steps and safeguards should have been in place to mitigate any data breach. In short, the entity should have anticipated laptops would be lost and it should have addressed the attendant risks through a deliberate process and in a manner that is “situationally” appropriate for the organization. Here, the organization abrogated such a duty, thus prompting a fine that may be disproportional to the perceived harm. This outcome should prompt providers to seriously regard the HIPAA Security Rule, and the OCR’s enforcement efforts, and to abandon any “no harm, no foul” notions they might apply when security breaches occur and must be reported

Florida Healthcare Law Firm Blog

Tag Archives: HIPAA