HIPAA: Liability to Private Parties for Violations

November 14th, 2014.

An article by David Harlow on his blog entitled, HIPAA: Liability to Private Parties for Violations discussed how last week

Connecticut joined at least nine other states (DE, KY, ME, MN, MO, NC, TN, UT, WV  in recognizing that, while HIPAA does not create a private right of action for violation of privacy, it does constitute a standard against which the actions of a defendant in such a case will be judged. In other words, if a covered entity or business associate or downstream contractor releases PHI other than in accordance with HIPAA (i.e., for treatment, payment or health care operations purposes, or to or at the direction of the data subject or his or her legal representative), the breach of the HIPAA rule may be the basis for a finding of a breach of a duty of care in a state court negligence action.

Of course..we have long advised primary care ( covered entities) and business associates that the potential liabilities and damages of non HIPAA compliance exceeds solely HHS-OCR audit failure penalties (which are potentially significant ..may I add). It is possible in the context of a breach that a case could be made potentially for operational neglect. ” as per Al Rozell from InfoTech Innovators. Mr Rozell goes on to add “HIPAA compliance is a way of conducting business and is not a single point in time attestation that just exists on a dusty report. The policies, procedures, practices, safeguards and monitoring must happening day in and day out. To us, that is the operational burden of proof. Now, if a practice or BA has not conducted a HIPAA Security Risk Assessment, they are not even at the starting gate. An EHR is not a silver bullet that can holistically or magically make a practice HIPAA compliant… audits, assessments, other safeguards, policies, procedures and practices are part of the picture too.

The Most Alarming Fact of the HIPAA Audits

Great article by Daniel J. Solove. Daniel is the John Marshall Harlan Research Professor of Law at George Washington University Law School.

Daniel reviews the results of phase 1 HIPAA Compliance audits performed by HHS-OCR that  took place during 2011 and 2012. Some alarming statistics on a whole, most notiably :

  • Under OCR’s pilot audit program,“58 out of 59 health care providers audited had at least one negative finding regarding Security Rule compliance.” That’s more than 98%.
  • Two thirds of all entities–47 of out of 59 providers, 20 out of 35 health plans, and 2 out of 7 clearinghouses—had no complete or accurate risk assessment program.
  • Of what OCR kindly termed the “findings and observations,” most involved the Security Rule. Of the total pilot audit findings, 60% were based on the Security Rule, 30% on the Privacy Rule, and 10% on the Breach Notification Rule.

The Second Phase of Audits

While there is no set start date, the second phase of audits is scheduled to begin this fall (2014) and continue into 2016.

Unlike phase 1, phase 2 will be conducted primarily by OCR staff. Another difference is that phase 2 will likely result in compliance reviews, a type of enforcement tool. Moreover, OCR does not intend for phase 2 to include on-site audits.

According to an OCR report, the 2014 audits will focus on covered entities and the following areas: security risk analysis and management, breach notifications, and privacy notices and access issues.

The InfoTech Innovators solution powered by one of our elite security business partners will provide you with the tools and expertise you need to help you comply with the HIPAA Security Rule. Our solution was developed by experts knowledgeable with the HIPAA Security Rule, computer and network security, and security training.

His article can be viewed here

OCR staff briefs providers on what to expect when Phase 2 audits begins

Unofficially… OCR hopes to begin the audit process by the end of 2014 or the beginning of 2015. in this second round of HIPAA compliance audits. OCR will look at covered entities and business associates’ risk analysis and risk management (the Security Rule), the content and timeliness of breach notifications (the Breach Notification Rule) and the notice of privacy practices and access rights (the Privacy Rule). The agency will focus on the risk to the data, not the risk to the impacted individual.

Read the article here

Healthcare Provider (Covered Entity) Business associates: A greater security threat than hackers

“As of Aug. 27, 2014, BAs are responsible for a whopping 58 percent of the records breached, according to OCR data. BAs work on behalf of healthcare organizations in countless ways: quality improvement analysis, patient safety activities, billing and collections, IT services, benefits administration and so on. “

Read the article here ==> Article

InfoTech Innovators in addition to helping Healthcare providers ( covered entities) can also work with business associates to insure their HIPAA Security Risk Assessments have been done, with a gap remediation plan, to help them establish on going risk management.

Report: 75 million records compromised so far in 2014

More than 75 million records have been compromised this year in approximately 568 breaches, according to the most recent breach report by the Identity Theft Resource Center.

“Medical and health care organizations accounted for the majority of breaches, at 43.5 percent. Last year, businesses accounted for 84 percent of breaches. The dramatic switch in targets, or impacted industries, could be indicative of a lack of education or resources in the health care field.”

Read article here ==>

OCR: Conduct Risk Analysis – Or Else .. HIPAA Enforcer Emphasizes Importance of Assessments

Jocelyn Samuels, director of the Department of Health and Human Services Office for Civil Rights – spotlighted the importance of conducting a timely risk assessment, as required under the HIPAA Security Rule, to pave the way for mitigating risks and avoiding breaches. Her remarks came during a Sept. 23 keynote presentation at the annual HIPAA conference sponsored by OCR and the National Institute of Standards and Technology.

“We continue to see a lack of comprehensive and enterprise wide risk analysis and risk management that leads to major breaches and other compliance problems,” Samuels said. “That is why enforcement is a critical part of our arsenal of tools to ensure compliance. Resolution agreements that include a monetary settlement are only a small fraction of complaint and compliance reviews we undertake. These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”

Read the entire article via the link below.

InfoTech Innovators is here to help…


The September 22, 2014 deadline for all HIPAA Business Associate Agreements (BAAs) entered into before January 25, 2013 to be updated and modified to compliance with the HIPAA Omnibus/Final Rule and HIPAA/HITECH enhanced civil fine schedule of up to $1.5 million per section violation per year is 3 weeks away. All post-January 25, 2013 BAAs must already be compliant.

Read whole article here ==> Article

Source : Owen D. K.   Kurtin PLLC, Attorneys at Law



InfoTech Innovators LLC Receives 2014 Best of Toms River Award

Press Release


InfoTech Innovators LLC Receives 2014 Best of Toms River Award

Toms River Award Program Honors the Achievement

TOMS RIVER June 6, 2014 — InfoTech Innovators LLC has been selected for the 2014 Best of Toms River Award in the IT Business and Solutions Consultant category by the Toms River Award Program.

Each year, the Toms River Award Program identifies companies that we believe have achieved exceptional marketing success in their local community and business category. These are local companies that enhance the positive image of small business through service to their customers and our community. These exceptional companies help make the Toms River area a great place to live, work and play.

Various sources of information were gathered and analyzed to choose the winners in each category. The 2014 Toms River Award Program focuses on quality, not quantity. Winners are determined based on the information gathered both internally by the Toms River Award Program and data provided by third parties.

About Toms River Award Program

The Toms River Award Program is an annual awards program honoring the achievements and accomplishments of local businesses throughout the Toms River area. Recognition is given to those companies that have shown the ability to use their best practices and implemented programs to generate competitive advantages and long-term value.

The Toms River Award Program was established to recognize the best of local businesses in our community. Our organization works exclusively with local business owners, trade groups, professional associations and other business advertising and marketing groups. Our mission is to recognize the small business community’s contributions to the U.S. economy.

SOURCE: Toms River Award Program

Toms River Award Program