Photo of Deb Hiser

Deb Hiser

Subscribe to Deb Hiser's Posts

Deborah focuses her practice on representing physicians, behavioral health providers, hospitals, ambulatory surgery centers and multispecialty clinics in operational and regulatory matters. She successfully guides HIPAA investigations, including breaches involving hundreds of individuals.

Based on recent news stories and our experience, it appears that cybercriminals may be targeting healthcare providers with ransomware attacks. Publicly reported incidents and others of which we are aware have involved providers ranging from clinics and imaging centers to hospitals, and these entities have had to pay hundreds to thousands of dollars to gain access to their medical records, billing records or other vital computer systems – often after significant interruption of operations. On March 31, 2016, the U.S. Dept. of Homeland Security issued an alert about these attacks as a result of recent attacks on businesses including healthcare facilities and hospitals worldwide.

My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016.

Effective Sept. 1, 2015, there are significant changes to Texas Guardianship laws. For the first time, probate courts must consider alternatives to guardianship, and supports and services available to the proposed ward before a guardianship is created. Two new alternatives to appointing a guardian now exist: Designation of Guardian Before the Need Arises and Alternate Forms of Decision-Making Based on Person-Centered Planning; and Supported Decision Making Agreement. Tex. Est. Code §§ 1002.0015 & 1357.001.

It’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. The healthcare industry is a prime target, especially given the premium value of health information on the black market. And healthcare entities face not only PHI breach exposures, but also security risks for other forms of protected information, such as PII and, for many, cardholder data.

Healthcare organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.

The U.S. Department of Health & Human Services (“HHS”) issued final regulations in January 2013 modifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Covered entities and business associates were generally required to comply with the final regulations by Sept. 23, 2013. To reduce administrative burden and costs of renegotiating existing business associate agreements, HHS provided a transition period. Business associate agreements in place as of Jan. 25, 2013, and not modified or renewed between March 26, 2013, and Sept. 23, 2013, were deemed to comply with the new regulations for up to 12 months. All relevant entities should note that the deemed compliance period ends Sept. 22, 2014.

The Long-Awaited HIPAA Omnibus Rule was just issued by HHS.

Brown McCarroll is reviewing the  563 page prepublication version of the new HITECH Act rules.  Of importance, there are new requirements for business associates and their subcontractors , as well as significant changes for hospitals and health systems, including provisions requiring changes to the Notice

The Director of the Office of Civil Rights (“OCR”), Leon Rodriquez, has made clear that he “absolutely” plans to continue the office’s ongoing efforts to ramp up enforcement of HIPAA with resolution agreements, civil monetary penalties and other enforcement actions.  He has emphasized that privacy and security are issues that “really matter to me personally

Recent stories highlight the need for providers to be diligent in preventing unintended release of protected health information (PHI). Tragic losses of PHI occur through theft, accident or malfunctioning equipment. To protect the privacy of PHI, providers must be alert to behaviors of their employees, patients, and even individuals who have no relationship to the