Less than one week after its last announced settlement, the Office for Civil Rights announced its first seven-figure HIPAA settlement of 2020. A non-profit healthcare system in Rhode Island, Lifespan, agreed to pay $1,040,000 for alleged systemic HIPAA violations. A 2017 breach involving an unencrypted stolen laptop triggered the investigation. OCR found HIPAA Security Rule violations and the lack of a business associate agreement with its parent corporation, which reported the 2017 breach.
Tag Archives: HIPAA
Today, the Office for Civil Rights (OCR) announced a $25,000 settlement with a small federally qualified health center (FQHC) for systemic HIPAA Security Rule violations. Over 9 years ago, the FQHC reported a disclosure of patient information to an unknown email account affecting 1,263 patients. This breach report prompted an investigation revealing a near complete failure to comply with the HIPAA Security Rule.
We learned early in life from the Three Little Pigs that a house made of straw or sticks, while much easier to build, lacks the safety and security of a brick house. This fable’s lesson applies to many scenarios including the recent rapid deployment of telehealth services. While a pandemic, not laziness, caused the hurried telehealth services implementation for many, that’s irrelevant to the big bad wolf (and there is always a big bad wolf). He will come and he will huff, and he will puff, and he will compromise the privacy of patient information in a system without adequate protections.
In guidance issued today, OCR explained that, with a few limitations, healthcare providers may use patient information to contact recovered COVID-19 patients and provide information about donating blood and plasma.
In line with its other Notices of Enforcement Discretion, OCR announced today that it will not enforce HIPAA rules against healthcare providers and their business associates for HIPAA violations that occur during the good faith operation of a community-based COVID-19 specimen collection and testing site, such as a mobile, drive-through or walk-up site.
The CARES Act made important changes to 42 CFR Part 2 rules by aligning use and disclosure rules more closely with HIPAA. This is an important development and will require some operational tweaks by Part 2 Providers such as obtaining initial consent and ensuring the use of a Notice of Privacy Practices.
Late Friday, the Office for Civil Rights (OCR) issued FAQs on telehealth and HIPAA as a follow up to DHHS’ announcement that OCR would use “enforcement discretion” for HIPAA non-compliance related to the good faith roll out of telehealth services during the COVID-19 emergency. The FAQs provide useful information about the types of applications that can be used for telehealth as well as examples of bad faith conduct.
By executive order late yesterday, Governor Ned Lamont expanded permission to offer “audio-only” telehealth services to commercial insurer’s in-network providers furnishing covered telehealth services. Two days ago, the Governor granted this permission to Medicaid providers serving Medicaid beneficiaries. The Executive Order also addresses licensure and location requirements and conditions for other providers wishing to offer telehealth services. Additionally, the order assures providers that compliance with federal agency guidance on HIPAA is adequate to meet state law.
Just one week ago, Medicaid in Connecticut did not cover telehealth services. Then, DSS issued Provider Bulletins 2020-09 and 2020-10 providing for emergency temporary telehealth coverage in response to the Covid-19 pandemic. Today, the Connecticut Department of Social Services (DSS) issued Provider Bulletin 2020-14, which further expands Medicaid reimbursement to include telehealth delivered via telephone.
Today, the Department of Health and Human Services announced that its Office for Civil Rights, which enforces HIPAA, will not enforce requirements that are a barrier to making telehealth services available.
