Archive for HIPAA News
The Indiana Court of Appeals recently upheld a $1.4 million verdict against Walgreens following a HIPAA violation, according to www.indystar.com. Walgreens had requested that the appeals court overturn a July 2013 verdict that awarded damages to pharmacy customer Abigail Hinchy after a pharmacist inappropriately accessed her records.
Hinchy filed a lawsuit in Marion Superior Court after learning that pharmacist Audra Withers accessed her prescription information without authorization. Withers shared the confidential information with her husband, who is Hinchy’s ex-boyfriend and the father of her child. Withers’ husband shared Hinchy’s private information with at least three other people and planned to use it in a paternity lawsuit, according to www.indystar.com.
Walgreens argued that it should not be liable for Withers’ actions. However, the court of appeals unanimously decided that Withers violated her duties by viewing and sharing information found in Hinchy’s records and that the trial court ruling allowed jurors to consider Walgreens’ liability, according to www.indystar.com.
Nebraska Medical Center in Omaha recently fired two workers for inappropriately accessing the medical records of an American aid worker being treated for Ebola at the facility, according to the Associated Press.
An audit of the medical center’s EMR revealed that the employees violated Dr. Rick Sacra’s privacy by accessing his records without authorization. The medical center notified Sacra of the HIPAA privacy violation in person and in writing. He contracted Ebola while working in Africa and spent three weeks at Nebraska Medical Center where he was treated with an experimental Tekmira Pharmaceuticals drug called TKM-Ebola and later released. The medical center did not reveal why the employees accessed Sacra’s records, the Associated Press reported.
HHS recently released guidance about HIPAA regulations affected by the Supreme Court’s 2013 United States v. Windsor ruling that found Section 3 of the federal Defense of Marriage Act (DOMA) unconstitutional. Section 3 of DOMA states that federal law would only recognize opposite-sex marriage.
The HIPAA Privacy Rule includes information about the role of family members in patient care. Section 45 CFR 160.10 of the rule includes the terms “spouse” and “marriage” under the definition of family member.
To maintain consistency with the United States v. Windsor ruling, the term spouse includes people in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction. However, same-sex marriages performed in a foreign jurisdiction must be recognized in the United States for a patient’s partner to be recognized as a spouse under HIPAA.
Similarly, the HIPAA Privacy Rule recognizes marriage between same-sex and opposite-sex couples and defines a family member as a dependent of a marriage. These definitions apply to people who are legally married whether the jurisdiction where they reside recognizes the marriage or not.
Under §164.510(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purpose, covered entities are permitted under certain circumstances to share PHI with a patient’s family member. Legally married same-sex couples are family members for the purpose of this provision regardless of where they reside.
The definition of family member also applies to §164.502(a)(5)(i), Use and disclosure of genetic information for underwriting purposes, which prohibits health plans with the exception of issuers of long-term care policies from using or disclosing genetic information for underwriting purposes. Plans are not permitted to make underwriting decisions about a patient based on his or her same-sex spouse’s genetic test results or manifestation of disease.
Organizations in Florida have one more thing to worry about following a breach of personal information or a security breach. The Florida Information Protection Act of 2014 (FIPA), which went into effect July 1, requires covered entities (CE) or third-parties to notify affected individuals and the Florida Department of Legal Affairs (DLA) of a breach of security or PHI within 30 days of discovery unless delayed by law enforcement. Previously, state law required CEs and third-parties to notify affected individuals of a breach within 45 days.
FIPA set forth a detailed definition of “personal information,” which includes an individual’s first name or first initial and last name combined with one of the following:
- Social Security number
- A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
- A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
- An individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual
- A user name or email address combined with a password or security question and answer that would permit access to an online account
The law states that the definition of a CE goes beyond healthcare organizations to include “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”
Unlike HIPAA, FIPA places little responsibility for breach notification upon third-parties. FIPA requires third-parties notify the CE of a breach within 10 days of discovery, at which time the CE is responsible for breach notification.
FIPA is enforced by the DLA under the Florida Deceptive and Unfair Trade Practices Act. Violators may face civil prosecution and/or fines not exceeding $500,000 for violating the state breach notification requirements. The DLA will submit a breach report to the Legislature by February 1 each year. CEs and third-parties must still comply with HIPAA regulations in addition to FIPA.
A former East Texas hospital employee faces up to 10 years in prison for HIPAA violations, according to a press release from the U.S. Department of Justice.
Joshua Hippler, 30, formerly of Longview, Texas, faces charges for wrongful disclosure of individually identifiable health information. Hippler was accused of obtaining PHI with the intent to use it for personal gain while employed by the hospital in question from December 1, 2012, through January 14, 2013. A grand jury recently indicted Hippler, according to the press release.