Georgia's Trusted Healthcare
& Medical Provider Attorneys

Healthcare Providers: Your Business Associates Could Cost You Millions

HIPAAHealthcare providers must ensure business associates adequately safeguard private health information

The Department of Health and Human Services (HHS) recently entered into a HIPAA settlement with a Minnesota hospital for $1.5 million because the hospital failed to have a written business associate agreement with one of its contractors.

Business associates are non-covered-HIPAA entities that require access to protected health information (PHI) to perform services for covered entities, often a contractor or subcontractor. The hospital’s policies failed to ensure the business associate adequately protected consumer’s PHI.

While HIPAA applies to certain covered entities, those entities must also ensure that any business associates also adequately secure PHI. HHS found that the Minnesota hospital overlooked two important aspects of the HIPAA rules.

  1. The hospital did not have a written, compliant business associate agreement with one of its IT contractors, and
  2. The hospital failed to have an accurate and thorough risk analysis of its entire IT infrastructure.

HHS investigated after the hospital reported that a laptop was stolen from an employee of the business associate. The laptop contained password protected but unencrypted PHI for almost 10,000 individuals.

The $1.5 million settlement underscores the importance of HIPAA compliance. Healthcare providers must ensure they have compliance agreements with anyone who has access to protected health information. One example of this is when a healthcare provider contracts IT services. Without compliance agreements, companies can be responsible for hefty fines even if a business associate actually causes the PHI security breach.

If you need help creating policies or contracts to protect safeguard private healthcare information, we can help. Please contact Jonathan Anderson at or 678.325.3872.

Are You Compliant? HHS Issues Guidance & Likely To Continue HIPAA Compliance Scrutiny

HIPAA AuditThe Department of Health and Human Services (HHS) started the year by publishing new HIPAA guidance with respect to patient access to medical records.

While the recent HHS guidance does not add anything new to the regulations, it serves as a reminder to providers of certain provisions in the law. The guidance is intended as a tool to aid individuals in exercising their rights to access their medical records and to help providers ensure HIPAA compliance.

HHS highlighted certain provisions in the HIPAA regulations including provider obligations to respond to a request from a patient within 30 days and provide PHI in an electronic format if requested (assuming the electronic format requested can be readily produced by the provider).

The guidance also reminds providers that covered entities are not required to provide every single record about an individual even if the individual asks. Certain exceptions to a patient’s right to access include:

  • Patients do not have the right to access to information that is not used to make decisions about that individual. For example, certain quality assessment or improvement records, patient safety activity records, or business planning, development and management records that are used for business decisions do not have to be provided to an individual.
  • Individuals do not have a right to access psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a counseling session with the individual.
  • Providers can deny access to certain records if a licensed health care professional determines in the exercise of professional judgment that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
  • Patients do not have a right to access certain records compiled in reasonable anticipation of, or for use in, a legal proceeding.

Additionally, providers do not have to create new information, such as explanatory materials or analyses, that does not already exist in the record.

The government’s emphasis on HIPAA is expected to continue with pending audits of covered entities and business associates likely to take place this quarter. Now is the time for healthcare providers to review their policies to ensure that they are complying with the HIPAA regulations.

If you would like to review the HHS guidance it is available at

If you need help ensuring HIPAA compliance, please contact Danielle Hildebrand at or 678.325.3872.



Healthcare Providers Need To Examine Billing Practices To Ensure Compliance

healthcare fraudLast month, the Department of Health and Human Services released its annual report for the Health Care Fraud and Abuse Control Program. According to the report, in 2014 more than 900 new criminal health care fraud investigations were opened by the Department of Justice. There was a slight increase in the number of criminal cases and convictions from last year, with 496 cases and 735 defendants convicted of criminal health care fraud. Civil cases alone resulted in $2.3 Billion in settlements and judgments.

The government’s press release reiterated that detecting and eliminating fraud and abuse continues to be a top priority. The government attributes its high recoveries to a change in strategy which uses real-time data analysis to detect fraud more quickly. The Centers for Medicare and Medicaid currently uses advanced analytics on Medicare fee-for-service claims. The goal of this is to detect aberrant and suspicious billing patterns which would then trigger an investigation or enforcement action by the government.

Now is the time to for Medicare and Medicaid providers to review their billing practices and financial relationships to ensure that they are compliant with federal laws. Charges against providers were made under the False Claims Act, as well as Anti-Kickback Statute, the Stark Law (Physician Self-Referral Law), and other federal laws.

The full annual report is available at

If you have any questions about the legality of your billing practices or financial relationships, please contact DJ Jeyaram at or Danielle Hildebrand at


Are YOU Compliant With New HIPAA Rules?

imgres-6It has been half a year since the new HIPAA Rules were fully implemented, are you compliant?

If you are a healthcare provider or work with healthcare providers you should already know that last year the Department of Health and Human Services published the HIPAA Omnibus Rule expanding the reach of HIPAA enforcement and bolstering notification requirements. Under the rule, business associates must comply with most of the requirements that previously only applied to covered entities.

Furthermore, HHS can now impose penalties directly on business associates, which range from $100 to $50,000 per violation.

Covered entities also have new requirements that they must follow. For example, such entities must provide notifications to the affected individuals and to HHS when a breach has occurred. If a large group of individuals are affected the entities must also notify the media. Furthermore, the definition of a breach is more expansive—an impermissible use or disclosure of protected health information (PHI) is presumed to be a “breach,” unless the HIPAA-covered entity demonstrates there is a low probability that the PHI has been compromised.

Entities that deal with protected health information in the form of electronic health records should also be aware that such entities have become an attractive target for hackers. The information in a medical record is extremely valuable on the black market making protected health information of patients susceptible to theft.

Given the new obligations and penalties under the Omnibus Rule and the increasing vulnerability of protected health information it is more important than ever to ensure that the proper measures are in place to prevent breaches. HIPAA-covered entities and business associates need to consider whether they are in a position to protect against and appropriately respond to breaches through periodic risk assessments and implementation of HIPAA-compliant policies and procedures.

Some threshold questions that your entity will want to ask include:

• Do you have a current written HIPAA policy that reflects the practices of the organization?

• Does your HIPAA policy address what is to be done in the event of a breach?

• Does your policy provide a proper means of assessing whether a breach has occurred?

You can view the Omnibus Rule, including the changes to the Privacy Rule, Security Rule and Breach Notification Rule here: – HIPAA Omnibus Rule