Home → Compliance Update

Compliance Update
Why you need a HIPAA-compliant business associate agreement Print E-mail
Written by Vitale Health Law   
Monday, 01 May 2017 00:00

The recent announcement by The Department of Health and Human Services' Office for Civil Rights (OCR) that it agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with The Center for Children's Digestive Health (CCDH) should serve as a lesson to other healthcare organizations about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors before disclosing any protected health information.

Last month, CCDH, a seven-center pediatric subspecialty practice based in Park Ridge, Illinois, agreed to pay OCR $31,000 to resolve potential HIPAA violations. CCDH also agreed to adopt a corrective action plan which includes updating policies and procedures, conducting staff training on said policies and procedures and ensuring one or more employees are made responsible for ensuring HIPAA-compliant business associate agreements obtained from all business associates.

Read More
New OIG Rules Change Patient Incentive Program Landscape: Where Are the Limits Now? Print E-mail
Written by   
Thursday, 13 April 2017 00:00
With health care becoming more consumer-driven, health care providers and health plans are wrestling with how to incentivize patients to participate in health promotion programs and treatment plans. As payments are increasingly being tied to quality outcomes, a provider's ability to engage and improve patients' access to care may both improve patient outcomes and increase providers' payments. In December 2016, the Office of Inspector General of the US Department of Health and Human Services (OIG) issued a final regulation implementing new "safe harbors" for certain patient incentive arrangements and programs, and released its first Advisory Opinion (AO) under the new regulation in March 2017. Together, the new regulation and AO provide guardrails for how patient engagement and access incentives can be structured to avoid penalties under the federal civil monetary penalty statute (CMP) and the anti-kickback statute (AKS). 

Last Updated on Friday, 14 April 2017 17:28
OIG Opinion Applies Access to Care Exception Print E-mail
Written by Vitale Health Law   
Monday, 27 March 2017 00:00

Can a hospital system provide free or reduced-cost lodging and meals to certain financially needy patients, or would such an arrangement (a) constitute either a violation of the federal anti-kickback statute or (b) constitute grounds for the imposition of civil monetary penalties because it would violate a provision of the Social Security Act that prohibits remuneration to a federal healthcare program beneficiary that might influence the beneficiary's selection of a particular provider?

That was the question recently answered in an Advisory Opinion issued by the U.S. Department of Health and Human Services Office of the Inspector General (OIG).

The requestor, whose name is redacted, owns and operates an academic medical center consisting of four hospitals and a number of hospital-based clinics. One of those hospitals operates a Level I trauma center and provides care to patients, some of whom live in rural and medically underserved areas. 

Last Updated on Tuesday, 28 March 2017 14:39
Patient Privacy Concerns in Our Social Media World Print E-mail
Written by Chanel A. Mosley, Esq.   
Monday, 06 March 2017 16:15

Social media is now at the very core of our culture and gone are the days when websites like Myspace and Facebook were nothing more than a guilty pleasure of adolescents and college students.  Social media outlets like Facebook, Twitter, Instagram, Snapchat, and numerous others are now utilized not only by our younger generations, but also corporate giants, local businesses, celebrities, and just about everyone, everywhere.  The use of social media in the professional healthcare setting is widely accepted, but with it comes ever growing concerns about patient privacy and the consequences associated with the unauthorized use and disclosure of protected health information.  Consider the following scenarios:
  • A nursing student creates a post on her Myspace page that details her experience with a mother's birth of her child.  Although the post does not contain the mother's name, the student's Myspace page indicates the hospital at which the birth occurred, the date of the birth, and details of the medical treatment administered during the birth.
  • A nurse posts a statement on her Facebook page excitedly sharing that she met a celebrity at work today and identifies the celebrity by name.
  • A receptionist at a physician's office snaps a photo of a patient in the waiting room and posts it on Facebook with a comment that he is drug-seeking.  The comment also contains the name of the patient's employer and details regarding the patient's referral to another medical provider.
  • A medical student obtains video of a physician inserting a chest tube into a patient and posts the video on YouTube.  The patient's face is visible in the video.
  • Employees of a nursing home use Snapchat to record and transmit videos of themselves harassing the residents.
Each of these scenarios implicates serious patient privacy concerns that have the potential to expose the health care provider, as well as the provider's employer, to a variety of administrative, civil, and potentially criminal penalties.  It does not matter that the social media posts omit the patient's name or other identifiers.  Rather, the Health Insurance Portability and Accountability Act (HIPAA) defines protected health information to include individually identifiable health information, meaning any health information created or received by the health care provider that relates to the past, present or future physical or mental health or condition of a patient.  § 45 C.F.R. §§ 164.501, 164.502, 160.103.  Therefore, social media posts containing information regarding a patient's physical or mental health, or condition will likely constitute HIPAA violations if disclosed to unauthorized users for a purpose unrelated to the patient's treatment or other limited exceptions. 

In the first scenario, irrespective of the fact that the Myspace post contains no information regarding the patient's name, the patient-specific information in the post discusses the patient's pregnancy and healthcare, and was found by a Federal District Court to implicate patient privacy concerns.  In the second scenario, although the nurse did not identify the celebrity as a patient or specify the treatment provided, her profile page identifies the hospital at which she works and the date on which the post was made.  The remaining three scenarios are much easier to identify, as the patient's identity is clearly depicted.

From the employer's perspective, HIPAA violations involving social media require the employer to take action.  For example, notification must be sent to the individual patient within a set period of time after discovery of the violation, and this information is ultimately submitted to the U.S. Department of Health and Human Services.  Based upon the matter at issue, employers may be subject to civil monetary penalties and, if warranted, criminal fines.  Importantly, the individual employee who made the unauthorized disclosure may also be subject to these civil and criminal penalties. 

Not only do these social media posts implicate possible civil and criminal fines under HIPAA, but they also expose the health care provider to potential disciplinary actions by the Department of Health.  For example, a physician engaging in such conduct may be faced with an administrative action and possible discipline on his or her license, including the assessment of fines, by the Board of Medicine.  Further, the employee responsible, and likely the employer, may find themselves faced with the threat of litigation in a civil lawsuit filed by the patient.  Causes of action sounding in breach of privacy or fiduciary duty, negligent hiring and supervision, or defamation are possible as a result of the social media post.  In those instances, employers and employees alike may spend thousands of dollars and countless hours defending the lawsuits.

To avoid these unfortunate situations, employers should take preventative measures to ensure that employees are fully aware of the possible repercussions associated with posting patient information on social media sites.  It is also a good business practice for the employer to implement policies concerning employee use of social media, and to educate employees on the importance of avoiding any situations which implicate patient privacy concerns.  An example of this guidance is the ethical opinion issued by the American Medical Association in 2011 concerning physician use of social media and networking applications online.  This opinion highlights the importance of refraining from posting any information that may contain identifiable patient information.  By ensuring that all employees are abiding by such guidelines, employers are in a much better position to avoid the unauthorized use and disclosure of protected health information on social media.

Chanel A. Mosley is an attorney in the Orlando, Florida office of Marshall Dennehey Warner Coleman & Goggin.  She devotes her practice to the defense of claims involving medical malpractice, long-term care, and other healthcare and general liability matters.  She can be reached at or through the firm's website at

Last Updated on Monday, 06 March 2017 16:22
HIPAA Compliance in 2017: The Heat is on Print E-mail
Written by Vitale Health Law   
Tuesday, 21 February 2017 19:04

The doctor-patient relationship has always involved a certain level of privacy. But over the years, the stakes for healthcare providers who violate patient privacy have increased exponentially. Barely two months into 2017 and already we are seeing increased activity.

According to a newly released report from Protenus, in conjunction with, January saw 31 healthcare data breaches disclosed resulting in the exposure of 388,307 patient and health plan member records.

The largest healthcare data breach reported last month involved CoPilot Provider Support Services, Inc. and impacted 220,000 individuals. However, the breach actually occurred in October 2015, with CoPilot discovering the incident two months later in December 2015. The Department of Health and Human Services' Office for Civil Rights, however, was only notified of the breach in January 2017, well outside the 60-day deadline for reporting breaches.

According to the report, the average number of days between the breach occurring and the incident being reported to OCR was 174 days. It took an average of 123.5 days for healthcare organizations to discover a breach had occurred.

Those healthcare entities affected by data breaches are finding themselves having to pay significant penalties. Case in point, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information.

Presence Health, one of the largest healthcare networks serving Illinois, agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan.

Read More>>

Last Updated on Monday, 13 March 2017 17:18
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Page 7 of 49

Website design, development, and hosting provided by