The people's voice of reason
The people's voice of reason
In August 1996, Congress passed laws collectively called HIPAA or the Health Insurance Portability and Accountability Act. But after a long period of public comments and final rule the privacy rule did not become effective until April 2003. The security rule that followed did not become effective until April 2005. The initial aim of HIPAA was to allow those employed with health care plans to move between jobs with continual health insurance even with pre existing health issues. Because the changes were going to significantly increase the cost for health insuers, Congress created rules that would effectively combat waste, fraud and abuse. Creating a significant increase in electronic health insurance transactions, also required strengthened security rules.
Small health plans were given an extension in time of an extra year to implement the privacy rules and an extra year in implementing the security rules. In 2009 the breach notification rules came out with no distinction between small or large institutions. The privacy and security rules were further strengthened in 2013 by the HITECH Act. Time has marched on and smaller rules have been added.
I follow the HIPAA blog by Jeff Drummond, an attorney in Texas. Jeff does an excellent job with keeping health law attorneys up to date on the latest laws and HIPAA violations. I have been able to add to his posts a couple of times. One of his most recent posts has to do with Warby Parker who provides eyeglasses. Jeff posed the question of whether Warby Parker is a covered entity in that is it a health care provider or health plan/ insurance or health care clearing house? Like Jeff, I’m not familiar whether they do eye exams and would thus retain more extensive electronic Protected Health Information (PHI or ePHI). Even if they don’t provide eye exams and instead only manufacture glasses for providers then they are considered a business associate since they would by necessity hold PHI for clients. Regardless, the Office of Civil Rights (OCR) of Health and Human Services (HHS) imposed a $1.5 million dollar fine on Warby Parker. Fines for various reasons usually start in the thousands, but as you can see can be quite large. The largest that I am aware of was a $16 million fine against Anthem Health had PHI stolen from 78.8 million patients. The year of violation was 2015.
Many of the newer violations have to do with covered entities not lawfully handing over requested patient data in a timely fashion. Some of these entities I’m guessing get hesitant if they think their liability is on the line and they want to get a legal review of what the patient is receiving. Or possibly they hope by delaying maybe the patient will out of frustration drop their request.
The Office of Civil Rights via Health and Human Services has now issued a call for public comment. The public comment period will end about the time this edition goes to distribution. Mostly the new laws have to do with security and it’s the most significant update since 2013.
Some of the items that the new laws look at are:
Penetration testing once yearly. Penetration testing requires ethical hackers who will try to get into your network whether you be a covered entity or business associate. Obviously they will not cause any disruption (on purpose) if successful but each entity will see their weakness,
Vulnerability scanning of networks every six months,
An attempt to more closely align with HIPAA the Confidentiality of Substance Use Disorder Patient Records and an update on when and if reproductive healthcare can be disclosed,
Changing the time frame to provide patient data from thirty days to fifteen days,
Creating a more shareable pathway among covered entities,
More specificity in risk assessments which are already required but some requirements are broadly seen as not necessarily needing to be done,
Reviewing network assets and network mapping,
Multi factor authentication,
Encryption of all PHI at rest or in transit, and
Many, many other things!
As good as these things are they will be costly to all and impact small covered entities in a manner that will be a very real burden. Protected health information is much more valuable than a credit card number to the bad guy or the nation sponsoring the bad guy because there are things that belong to your health information that you can’t change like your birthdate.
I have heard of practices still using paper charts but for the most part it’s electronic and the bad guys are always out to steal regardless of whether someone suffers financial loss or even physical harm because needed health information is being held for ransom and was not properly backed up for after the fact access.
I hope that this has helped with your question. If you need a lawyer you can contact the Alabama State Bar Lawyer Referral service or ask a trusted friend about a lawyer that they might recommend.
This article is informative only and not meant to be all inclusive. Additionally this article does not serve as legal advice to the reader and does not constitute an attorney- client relationship. The reader should seek counsel from their attorney should any questions exist.
"No representation is made that the quality of legal services performed is greater than the quality of legal services performed by other lawyers."
THE VIEWS OF SUBMITTED EDITORIALS MAY NOT BE THE EXPRESS VIEWS OF THE ALABAMA GAZETTE.
Reader Comments(0)