September 18, 2019

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

HIPAA Updates: New Guidance for Business Associates and Continued Data Breaches

The HHS Office for Civil Rights (OCR) released a new guidance document regarding which HIPAA violations business associates (BAs) can and cannot be held directly liable for.  In the guidance, OCR states that BAs can be held directly liable for a list of 10 violations but notes that certain other violations, like the reasonable cost requirement for a patient’s access to their PHI, cannot be enforced directly by OCR against a BA.  The covered entity (CE) is still on the hook for violations of this type, however, so CEs should carefully review their BAAs to ensure that it covers requirements that don’t directly apply to BAs but are still enforceable against CEs.  

Large data breaches also continue to dominate the press.

  • Last week, we discussed on the blog a breach involving an EMR and software services provider after hackers accessed 3.5 million patient records. You can read more about it here.

  • OCR recently announced a settlement in which a diagnostic imaging company, Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. OCR began an investigation after receiving an email alleging that information about TMI’s patients, including social security numbers, were publicly available online due to an unsecure FTP server.  TMI discovered the breach only after receiving a letter from OCR regarding its investigation.   TMI’s server had allowed uncontrolled access to certain information, which permitted search engines to index the information and the information to be available online even after the server was shut down. Furthermore, TMI initially stated that no PHI was exposed but subsequently admitted that PHI of over 300,000 patients was involved.  The settlement agreement states that OCR’s investigation indicated that TMI: failed to enter into a business associate agreement with certain vendors; failed to conduct an “accurate and thorough” security risk assessment; and failed to notify the affected individuals and media of the breach, among other HIPAA violations.

  • On Wednesday, LabCorp announced that it received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA.  This announcement followed a similar one from Quest Diagnostics earlier last week, in which Quest reported that AMCA’s breach affected 11.9 million of its patients.  According to LabCorp’s 8-K, the information on AMCA’s affected system could include individuals’ first and last names, dates of birth, addresses, phone numbers, dates of service, provider names, and balance information.

Also, in case you missed it, our Privacy & Cybersecurity colleagues recently wrote about Nevada’s new privacy law, which requires website operators to provide consumers with the right to opt-out of the same of their personal information.  We continue to track state law developments, like the California Consumer Privacy Act (see our recent post here), that impact those that operate in the health care industry. 

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney

Sarah Beth’s practice focuses on advising health care providers, PBMs, and laboratories on a variety of regulatory issues.

Prior to joining Mintz Levin, Sarah Beth worked as a law clerk with the health staff of the US Senate Committee on Finance, where she researched policy, regulations, and legislation regarding commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act. She also drafted legislation.

In addition, Sarah Beth worked as a law clerk for a legal practice in Washington, DC. Her...

Kate Stewart, Mintz Levin Law Firm, Boston, Health Care Law Attorney

Kate’s practice involves a variety of regulatory and transactional matters for healthcare providers, including hospitals, physician groups, clinical laboratories, retail health clinics, and pharmacies.  

Kate counsels health care clients on HIPAA compliance, telemedicine practice, licensure and scope of practice issues, clinical trial compliance, physician contracting and the federal Physician Payments Sunshine Act. 

For both Covered Entities and Business Associates, she has advised on initial implementation and updates to HIPAA-mandated policies and procedures, contracting matters, and analysis of and response to potential breaches under HIPAA and state data breach rules. She provided in-house HIPAA guidance to a third-party administrator during a secondment from the firm.  

In her transactional practice, Kate advises providers, payers, and investors in mergers and acquisition and joint ventures. 

Kate also counsels a variety of nonprofit organizations on entity formation, governance, tax-exemption issues, and mergers and acquisitions.   

Prior to joining Mintz Levin, Kate served as a law fellow at the O’Neill Institute for National and Global Health Law at Georgetown University. Her work there focused on international health governance, pre-exposure prophylaxis for HIV/AIDS, and food and drug safety issues.