PHI

Subscribe to PHI

The Office for Civil Rights (OCR) announced on October 23, 2019 that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.

According to the OCR, Jackson notified the OCR in 2013 that paper records of 256 patients’ personal health information (PHI) located in three boxes were lost in 2012. It thereafter reported in 2016 that the loss was actually 1,436 patient records.Continue Reading Jackson Health System Fined by OCR

On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued against MDA arising from three HIPAA breaches in 2011 and 2012 (see our previous analysis of the ALJ’s decision here).
Continue Reading Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s transition to value-based care models.

In the RFI, OCR requests input on whether and how the HIPAA regulations (i) can be modified to remove regulatory obstacles and burdens to efficient care coordination and case management, (ii) may inhibit the transformation to a value-based health care system, and (iii) may be modified to facilitate efficient care coordination and case management, and promote the transformation to value-based care. OCR also solicits comment on four specific proposals for modifying the HIPAA regulations to accomplish some of its stated goals:
Continue Reading OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

The Office for Civil Rights has announced that it has settled with Lakeland, Florida based Advanced Care Hospitalists (ACH) for $500,000 for allegations of an impermissible disclosure of protected health information by one of its business associates. ACH provides contract internal medicine physicians to nursing homes and hospitals.

According to the press release, between November 2011 and June 2012, ACH engaged an individual who claimed to be a representative of Doctor’s First Choice Billings, Inc., which provides medical billing services. Although the individual used First Choice’s website and company affiliation, the owner of First Choice denied that the individual was employed by First Choice, and stated that the services were provided without the knowledge or permission of First Choice.
Continue Reading Advanced Care Hospitalists Settles with OCR for $500,000  for Alleged HIPAA Violations

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding and recycling. OCR’s investigation indicated that Filefax impermissibly disclosed PHI of 2,150 individuals over a two week span in early 2015 by leaving PHI in an unlocked truck in Filefax’s parking lot, or by leaving PHI within medical records sitting outside of Filefax’s business for a third party to collect.
Continue Reading Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015

Below is a summary of some of the key provisions relevant to investigators and research sites included in the recently enacted, bipartisan 21st Century Cures Act, including human subjects protections and the privacy and security of health information used in clinical research.  Among other requirements, the Act:

*requires the Department of Health and Human Services (HHS) to harmonize the U.S. Food and Drug Administration (FDA) Human Subjects Regulations with the HHS Human Subject Regulations (the Common Rule), which should help streamline research that falls under both sets of regulations;

*requires the harmonization of financial conflict-of-interest disclosure policies and regulations of research funding agencies, including minimum reporting thresholds, and the implementation of other measures by HHS to reduce administrative burdens on researchers;

*modifies FDA regulations to allow informed consent to be waived or altered for clinical research that “poses no more than minimal risk” and includes “appropriate safeguards” which are required to be promulgated by HHS, bringing the FDA regulations in line with the Common Rule; and

*allows research sites to use central IRBs for all research studies, including those involving medical devices.
Continue Reading 21st Century Cures Act – Implications for Investigators and Research Sites