As COVID-19 swab (PCR) and blood (antibody) testing continue to occur in greater numbers and diverse settings, it is important to recognize that the results of such tests are subject to HIPAA privacy and security compliance rules. There is a common public misconception that the declaration of a public health emergency has created a broad exception for covered entities and business associates to use and share COVID-19 testing results.» Read More
In response to the COVID-19 epidemic, federal and state governments implemented numerous and expansive regulatory changes to ensure patients were provided access to required testing and treatments. One of the more important (and ultimately successful) regulatory changes was the temporary expansion of telehealth services.» Read More
With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, business associates became directly liable for certain privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA). Business associates are those individuals or entities (other than employees) who perform functions or activities on behalf of, or provide certain services to, covered entities which require access to protected health information (PHI).» Read More
Fitness trackers have not only become a prominent part of everyday life, but also a big part of corporate wellness programs. Since fitness watches and health tracking phone apps have risen in popularity, companies have started to integrate these technologies into their wellness programs. » Read More
Do you have a HIPAA Business Associate Agreement (“BAA”) in place with all your vendors who have access to your patients’ Protected Health Information (“PHI”)? If not, you may be exposing your practice to a significant monetary penalty. On December 4, 2018, the United States Department of Health and Human Services Office of Civil Rights released a statement revealing they have reached a $500,000 settlement with a Florida hospitalist group for disclosing PHI to a vendor with whom they did not have a HIPAA BAA. » Read More
As most physician practices move towards implementing EHR systems and technologies, medical offices are often prompted to decide whether or not to dispose of old medical records for inactive patients. The question of how long a physician must maintain patient medical records depends on a variety of business and legal factors, as outlined below.» Read More
In a recent case, Filefax, a medical record storage, maintenance, and delivery company, paid the US Department of Health and Human Services, Office of Civil Rights (“OCR”) $100,000 to settle claims of HIPAA violations even after the company went out of business. » Read More
Generally, when using or disclosing an individual’s Protected Health Information (“PHI”), HIPAA regulations require the covered entity to obtain an authorization from an individual, including for research purposes[1]. The Office of Civil Rights (“OCR”), the entity that enforces HIPAA compliance, recently issued guidance for situations when an entity obtains an authorization from an individual for use and disclosure of PHI for research[2], focusing on the following topics:
Sufficient Description – HIPAA regulations require that the authorization, in plain language, provide “a description of each purpose of the requested use or disclosure.