There’s a lot at stake if healthcare professionals don’t comply with HIPAA and other government regulations. No one knows this better than myself – a healthcare attorney.

The relationship between healthcare attorneys and the practices we serve is a paradox.

On the one hand, the healthcare attorney is viewed as the institution’s life raft — we are here to provide you the practice with advice, assistance, and defense against litigation. And we’re usually deployed only in emergency situations.

On the other hand, the healthcare practice is also the root of the healthcare attorney’s insomnia —specifically the lack of compliance and diligence to other regulatory affairs.

Some of the top things that might keep me — a healthcare attorney — awake at night are the proverbial nightmares that we face every day serving our clients such as HIPAA compliance and trying to help them add an ounce of prevention.

Watch for my ongoing series:

Be sure to subscribe to Healthcare Practice Advisor to not miss out on any of my legal nightmares and their take away practical advice. I’ll get a better night’s sleep and you’ll be protected.

HIPAA is at the top of my list when it comes to not sleeping. Here are a few of the key HIPAA warning areas along with some advice to help protect your practice:  

Nightmare #1: Practices That Ignore HIPAA Compliance

HIPAA is a safeguard to protect patient data and privacy. Any healthcare practice that deals with patient protected health information (PHI) must have processes in place that they follow to comply with HIPAA. There are several ways that a healthcare practice can keep their attorneys up at night when neglecting — even unknowingly — HIPAA regulations.

Not Knowing or Realizing Who Their Business Associates Are (Including Subcontractors)

A vendor who handles PHI on a practice’s behalf is a business associate. And most practices understand that first-line providers of services to a practice are likely to be a business associate. But a daisy chain of outsourcing can land a practice in hot water.

And practices usually don’t take steps to ensure that they have full knowledge of such daisy chains. Such daisy chains can end up with a sub-business associate who is overseas and beyond the control of the practice.

Case: The UCSF Medical Center’s

HIM department outsourced transcription work, which outsourced it to an independent contractor (IC), who outsourced it to another independent contractor, who outsourced it to a Pakistani transcriptionist.

The second IC failed to pay the Pakistani woman. In an effort to get paid for her work, the Pakistani transcriptionist threatened UCSFMC with a disclosure of patient information. In an email, she attached patient files.

UCSFMC had no idea that the initial transcription service had outsourced work to a second service, nor that the second service had sent it overseas.

Not Having a Business Associate Agreement (BAA)

HIPAA compliance rules require that business associates who contract with healthcare institutions agree to safeguard PHI. The regulation requiring a BAA has existed since 2003 − yes, 16 years ago!

Yet, we still routinely see practices that do not have BAAs with entities that are clearly functioning as business associates.

Case: Center for Children’s Digestive Health (CDH)

 Located in Illinois. Filefax provided medical records services for several practices, among them CDH. Filefax’s services included storage, retrieval, maintenance, and delivery services.

It is not entirely clear exactly what happened, but Filefax either left medical records that were to be shredded in an unlocked truck in its parking lot or granted an unauthorized person access to remove the records from the Filefax location.

In either case, the PHI was unsecured outside the Filefax building. OCR began an investigation in 2015 after it received a complaint about the unsecured records. The investigation spread to those entities that utilized Filefax’s services, including CDH.

The investigation revealed that CDH had contracted with Filefax beginning in 2003. But no BAA was signed. In fact, CDH did not have a signed BAA with Filefax until October 2015, although OCR’s inquiries to CDH began in August 2015.

Penalty: CCDH paid a $31,000 penalty.

Using an Outdated Notice of Privacy Practices (NPP) and Business Associate Agreement (BAA)

Using outdated documentation can result in hefty fines. The initial regulation requiring an NPP and a BAA effective date was 2003. Passage of the HITECH Act required changes to BAAs, and the deadline for incorporating those changes was no later than September 2014.

Yet many, many practices are still using the original BAAs (and NPPs) that they began using in 2003.

Case: But that can be dangerous, as Care New England (CNE)

Discovered in September 2016. CNE was part of a hospital system. The entity provided centralized corporate services to its member hospitals, including technical support and IT services.

In 2012, one of the CNE’s covered entities discovered that backup tapes were missing. During the investigation, CNE provided OCR with a BAA dated 2005, but not updated until August 2015. Those updates were implemented due to the OCR investigation.

Penalty: Since CNE had continued to use inadequate BAAs, CNE paid $400,000 in penalties.

How Can You Train Staff on HIPAA Compliance?