Why an annual risk assessment should be at the top of your New Year’s resolutions

It is difficult to believe that another year is about to end. Given the emphasis by Office for Civil Rights (OCR) on HIPAA items, it is only fitting that the year is closed out with some recent HIPAA highlights.

The Department of Health and Human Services (HHS) OCR published a Request for Information (RFI) in the Federal Register (83 Fed. Reg. 64302) on Dec. 14. Specifically, HHS is opening up the floor to the public on various aspects of the HIPAA Privacy Rule and Security Rule, which may impede the coordination of care. This request is a bit perplexing, as 45 CFR § 164.506 expressly defines “uses and disclosures to carry out treatment, payment, or healthcare operations.” Specifically, Section 164.506(c), which was last modified in the Omnibus Rule (78 Fed. Reg. 5566, 5698) states the following:

Implementation specifications: Treatment, payment, or healthcare operations.

• A covered entity may use or disclose protected health information (PHI) for its own treatment, payment, or healthcare operations.

• A covered entity may disclose PHI for treatment activities of a healthcare provider.

• A covered entity may disclose PHI to another covered entity or a healthcare provider for the payment of activities of the entity that receives the information.

• A covered entity may disclose PHI to another covered entity for healthcare operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the PHI being requested, the protected health information pertains to such relationship, and the disclosure is: (i) For a purpose listed in paragraph (1) or (2) of the definition of healthcare operations; or (ii) For the purpose of healthcare fraud and abuse detection or compliance.

• A covered entity that participates in an organized healthcare arrangement may disclose protected health information about an individual to other participants in the organized healthcare arrangement for any healthcare operations activities of the organized healthcare arrangement.

Physicians should also take note that a covered entity may be a business associate of another covered entity. However, just because information is shared between two separate covered entity does not mean that the obligation to comply with the Privacy Rule and Security Rule ceases to exist. In fact, it is imperative that due diligence is conducted and that a BAA, Data Use Agreement or Privacy and Security Agreement is executed. Failing to take these measures could be costly in the event of a breach.

The breach brings us to another recent action at the OCR: a settlement with Advanced Care Hospitalists PL (ACH), an entity that provides contracted internal medicine physicians to hospitals and nursing homes in Florida. ACH contracted with an individual who represented himself as a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. However, the individual who provided medical billing services to ACH using First Choice’s name and website did so without knowledge or permission.

A local hospital eventually notified ACH that PHI was available on a website. OCR fined ACH $500,000 after discovering that it had never entered into a BAA or implemented the requisite technical, administrative, and physical safeguards as outlined by the Security Rule.

In sum, HIPAA is a topic to continue to watch. Physicians and other entities alike should put the required annual risk assessment on the top of their 2019 New Years’ resolutions. 

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.