Do you have a HIPAA Business Associate Agreement (“BAA”) in place with all your vendors who have access to your patients’ Protected Health Information (“PHI”)?  If not, you may be exposing your practice to a significant monetary penalty.  On December 4, 2018, the United States Department of Health and Human Services Office of Civil Rights released a statement revealing they have reached a $500,000 settlement with a Florida hospitalist group for disclosing PHI to a vendor with whom they did not have a HIPAA BAA. » Read More

In a recent case, Filefax, a medical record storage, maintenance, and delivery company, paid the US Department of Health and Human Services, Office of Civil Rights (“OCR”) $100,000 to settle claims of HIPAA violations even after the company went out of business. » Read More

Generally, when using or disclosing an individual’s Protected Health Information (“PHI”), HIPAA regulations require the covered entity to obtain an authorization from an individual, including for research purposes[1].  The Office of Civil Rights (“OCR”), the entity that enforces HIPAA compliance, recently issued guidance for situations when an entity obtains an authorization from an individual for use and disclosure of PHI for research[2], focusing on the following topics:

• Sufficient Description – HIPAA regulations require that the authorization, in plain language, provide “a description of each purpose of the requested use or disclosure.

Sandra Jarva Weiss, a Member of law firm Norris McLaughlin, P.A., and Chair of its Health Care & Life Sciences Practice Group, presented “Medical Record Privacy Rights of Students Under FERPA and HIPAA” to the MidAtlantic College Nurses Association at their annual meeting on June 6 at Lafayette College in Easton. » Read More