Category Archives: HIPAA

HIPAA and Jason Pierre-Paul’s Medical Chart – Setting the Record Straight

Last night, ESPN reporter Adam Schefter tweeted a photo of New York Giants defensive end Jason Pierre-Paul’s medical chart, which chart indicated that Pierre Paul had his index finger amputated. The amputation was apparently the result of a fireworks accident on the Fourth of July. Prior to the Schefter’s report of the amputation, the injury was already a major offseason story for the NFL, as Pierre-Paul is a pro-bowler, and initial reports indicated that the New York Giants withdrew an outstanding $60 million contract offer as a result of the Fourth of July injury.

Football aside, the Pierre-Paul story is yet another example of a celebrity patient’s medical information being disclosed to the media. Right now, the internet is ablaze with news stories and comments suggesting that Adam Schefter and/or ESPN violated HIPAA by posting a copy of Pierre-Paul’s medical chart. Despite the public outcry, this view highlights a fundamental misunderstanding of HIPAA and its prohibitions. Adam Schefter and/or ESPN are not the ones that should be concerned about a HIPAA violation – the hospital and its employee(s) that leaked Pierre-Paul’s medical chart, however, should be.

At its most basic level, HIPAA provides certain federal protections for protected health information (“PHI”) held by covered entities and their business associates. The definition of a “covered entity” includes health care providers, health plans, and health care clearinghouses. See 45 C.F.R. 160.103. A “business associate,” in turn, is generally defined to include a person or entity that creates, receives, maintains or transmits PHI on behalf of a covered entity. Id.

Clearly, neither ESPN nor Adam Schefter constitutes a covered entity or business associate. Absent evidence of a conspiracy with hospital employees to obtain the documents in violation of HIPAA, ESPN and Adam Schefter should be in the clear with respect to HIPAA. On the other hand, unless Pierre-Paul appropriately authorized the disclosure of his medical chart, the hospital and its employee(s) that leaked the medical chart to Adam Schefter could face significant civil and/or criminal penalties in connection with a HIPAA violation.

It is also important to note that although HIPAA does not authorize a private right of action (meaning that only the Department of Health and Human Services Office of Civil Rights or State Attorneys General can enforce HIPAA), private individuals have had some success with lawsuits alleging state law privacy violations that utilize HIPAA to establish the standard of care.

For additional information regarding HIPAA, please contact Dan O’Brien, Cliff Mull, or any other member of Benesch’s Health Care Department.

CareFirst, Third Major Health Insurer This Year To Be Hit By Cyberattack

On May 20, 2015, CareFirst BlueCross BlueShield (“CareFirst”) announced that it was the latest victim of a major cyberattack, with as many as 1.1 million plan customers affected.  Current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are impacted by this event.

CareFirst said that although the hackers may have acquired customer names, email addresses, birthdates, customer-created user names and subscriber identification numbers, they did not obtain sensitive financial or medical information like Social Security numbers, medical claims, credit card or employment information or passwords associated with the user names.  The company has stated that those affected by the cyberattack will be provided two free years of credit monitoring and identity theft protection.

As an explanation of how CareFirst learned of the breach, Chet Burrell, CareFirst’s chief executive, said that after cyber attacks on other insurers earlier this year, he created a task force to review the company’s information technology systems.  CareFirst then hired Mandiant, a division of FireEye, to perform a forensic review of its systems.  Last month, Mandiant determined a breach had occurred in June 2014 allowing unauthorized access to a single database with the information listed above.

Just hours after the announcement of the breach, class action law firms were already investigating the circumstances of the breach and seeking plaintiffs who may have been affected.  Now that state claims may be brought based on HIPAA as a standard of care, the suits will likely consider potential harm due to the disclosure and whether CareFirst adequately protected the information and provided timely notice.  These are the same types of claims brought in the numerous class action lawsuits after the Anthem cyber-attack in February 2015.

The cyber-attack and pending lawsuits should serve as a reminder for healthcare companies to review and properly implement their HIPAA privacy and security policies and procedures.  For more information on HIPAA, health care compliance or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.

2015 Phase Two HIPAA Audits – Delayed Again

Recently, the Director of the Department of Health and Human Services Office for Civil Rights (“OCR”) confirmed that OCR is still working to finalize the procedures for “Phase Two” HIPAA audits. OCR had initially planned to launch the Phase Two audits in the Fall of 2014. Apparently, the delay is the result of behind-schedule implementation of the technology that OCR will use to collect audit-related documentation from covered entities and business associates via a web portal. An official date for the launch of Phase Two audits has not yet been announced.

The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act, and is designed to test entities compliance with the Privacy Rule, Security Rule, and Breach Notification Standards. If you are a covered entity or business associate, this delay in the launch of Phase Two audits provides a great opportunity to conduct a comprehensive assessment of your current HIPAA compliance program. This means doing much more than just checking boxes and having an old binder of policies and procedures on your shelf. Instead, covered entities and business associates need to take real action, such as reviewing the audit protocol from the pilot program and applying it to your organization, conducting a risk assessment, engaging a dialogue with your compliance officer, and reviewing/updating training materials, among others.

Being proactive now will go a long-way towards easing the burden of Phase Two audit, should your organization be selected. If you have any questions concerning Phase II HIPAA audits, or general HIPAA compliance, please do not hesitate to contact a member of Benesch’s Health Care Department.

HIPAA Security Rule Enforcement Not Yet Meeting Federal Requirements

A recent Office of the Inspector General (OIG) Report reviews progress made by the Office for Civil Rights (OCR) toward enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule following the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) amendments. The OIG found OCR enforcement to be meeting Federal HIPAA requirements in some key areas, but to be wanting in others.

OCR enforcement activities meeting Federal requirements include, (1) making available guidance promoting compliance with the Security Rule; (2) the investigation process for responding to reported Security Rule violations; and (3) proper application of penalties for covered entities found in violation of the Security Rule. Continue reading