Over the past thirty days, the Office for Civil Rights (“OCR”) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response.

On November 26th, the OCR announced a settlement with Allergy Associations of Hartford, P.C. (Allergy Associations), a health practice specializing in allergies, due to alleged HIPAA violations resulting from a doctor’s disclosure of patient information to a reporter. A doctor from Allergy Associations was questioned by a local television station regarding a dispute with a patient, and disclosed the patients’ protected health information (PHI), the investigation found. The OCR concluded that such disclosure was a “reckless disregard for the patient’s privacy rights”. Allergy Associations agreed to a monetary settlement of $125,000 and corrective action plan that includes two years of monitoring HIPAA compliance.

» A well thought out media relations plan together with regular security and awareness training, even for doctors, would go a long way toward reducing these risks.

Again on December 4th, the OCR announced that it had reached a settlement with the physician group, Advanced Care Hospitalists PL (ACH) in Florida, over alleged HIPAA violations resulting from the sharing of protected health information (PHI) with a vendor. According to OCR’s announcement, ACH engaged an unnamed individual to provide medical billing services without first entering into a business associate agreement (BAA). While it appeared the individual worked for Doctor’s First Choice Billing (“First Choice”), First Choice had no such record of this individual or his activities. ACH later became aware that the patient’s PHI was visible on First Choice’s website, with nearly 9,000 patients’ PHI potentially vulnerable. In the settlement ACH did not admit liability, but agreed to adopt a robust corrective action plan including the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA rules. In addition ACH agreed to a $500,000 payment to the OCR.

» This is not the first time the OCR has reached settlements with covered entities over not having business associate agreements in place. Covered entities should consider a more formal vendor assessment and management. That is, certainly make sure there is a BAA in place, but also assess the business associate’s policies, procedures, and practices.

And finally, on December 11th, the OCR announced a settlement with Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, for potential HIPAA privacy and security violations. The settlement is in response to a complaint that a former employee of PSMC continued to have remote access to the hospital’s scheduling calendar which included patients’ electronic protected health information (ePHI), after termination of his employment relationship. OCR’s investigation revealed that PSMC did not have a business associate agreement in place with its web-based scheduling calendar vendor, or with the former employee. PSMC agreed to implement a two-year corrective action plan which includes updates to its security management and business associate agreement, policies and procedures, and workforce training. In addition, PSMC agreed to an $111,400 payment to the OCR.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

»This is a lesson for all businesses – when employees leave the organization (or are moved from a position that permits access to certain protected information), immediate changes should be made to their access – this includes physical and electronic access.

This series of recent settlements serves as a reminder of the seriousness in which the OCR treats HIPAA violations. In October, in honor of National Cybersecurity Awareness Month, the OCR together with the Office of the National Coordinator for Health Information Technology jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. This is an excellent tool to help organizations conduct an enterprise-wide risk analysis. Alternatively, our HIPAA Ready product provides a scaled approach for midsized and smaller healthcare practices and business associates. In the end, healthcare organizations and their business associates need to address basic best practices including: terminating employee access in a timely manner, maintaining proper business associate agreements, and having a plan for media relations.

View Original Source
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently leads the firm’s Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Mr. Lazzarotti also is a member of the firm’s Employee Benefits Practice Group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Mr. Lazzarotti counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Mr. Lazzarotti’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Mr. Lazzarotti speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Mr. Lazzarotti served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.