There were two important HIPAA developments during this past week. First, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that Pagosa Spring Medical Center (“PSMC”), a Colorado hospital, agreed to pay $111,400 to settle allegations related to violations of HIPAA arising out of the hospital’s failure to deactivate a former employee’s access to protected health information (“PHI”) and failing to have a business associate agreement (“BAA”) in place with Google. This is the third HIPAA settlement announced by the OCR in as many weeks. Second, the OCR issued a Request for Information (“RFI”) on December 12, 2018, seeking public input on how HIPAA could be modified in light of the healthcare delivery’s recent movements to emphasize value-based (as opposed to volume based) health care initiatives.
According to the Resolution Agreement between OCR and PSMC, PSMC is a critical access hospital with 11 inpatient beds, 24-hour emergency care, imaging and other outpatient services. The OCR’s investigation of PSMC was initiated by a complaint. The OCR’s investigation revealed that:
In addition to the $111,400 payment, PSMC and the OCR entered into a two-year Corrective Action Plan (“CAP”), which requires PSMC to:
The PSMC settlement is the third HIPAA announcement reported by the OCR in the last three weeks, and the second involving the failure of a covered entity to have a HIPAA-required BAA in place with a vendor. Saul Ewing Arnstein & Lehr’s summaries of the prior two HIPAA settlements may be found here and here. Covered entities and business associates must have effective HIPAA compliance programs in place which include but are not limited to compliant BAA relationships and immediate termination of access to PHI when an employee is no longer working for a covered entity or business associate.
The RFI is part of the Administration’s “Regulatory Sprint to Coordinated Care.” This RFI seeks public comments on ways to modify the HIPAA regulations to “remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or care management and to promote the transformation to value-based health care.” In the press release announcing the RFI, the OCR stated that, “[I] in recent years, OCR has heard calls to revisit aspects of the [HIPAA] Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of [PHI] and/or patients’ ability to exercise their rights with respect to their PHI.”
The RFI specifically seeks comments with respect to more than fifty (50) “questions” (many of which involve sub-questions) to advance these goals:
Comments must be submitted no later than February 12, 2019. If HHS is sincere in its interest to consider changes to the HIPAA Privacy Rule, covered entities and business associates should read the RFI and provide responses to the items of most interest or most potential impact to their organization in the RFI. The RFI may be found here.