Troubling Practices by Hospitals for Patients’ Access to Medical Records Uncovered

Health Care Law Practice Group

By Health Care Law Practice Group



A new study published in JAMA Network Open and conducted by Yale University School of Medicine found troubling practices at U.S. hosmedical recordspitals relating to patients’ access to and provision of patients’ own medical records.  HIPAA’s Privacy Rule absolutely requires access to a medical record when properly requested under two circumstances:  (1) to the patient; and (2) to the Secretary of the Department of Health and Human Services.  Further, the patient must be provided records in his or her preferred format and for a reasonable processing fee.  Shockingly, only 53 percent of the hospitals surveyed provide patients an option to obtain their own medical records.  (Eighty-three top-ranked U.S. hospitals in 29 states were surveyed.)

Continue reading »

Missouri Health Care Legislation Update

Health Care Law Practice Group

By Health Care Law Practice Group



MO HealthNet Program Expands Its Coverage:

  • Section 208.151 (20) RSMo was expanded to include language allowing pregnant women who receive substance abuse treatment within sixty (60) days of giving birth, subject to appropriations and any necessary federal approval, to be eligible for MO HealthNet benefits for substance abuse treatment and mental health services for the treatment of substance abuse for twelve (12) additional months, as long as the woman remains adherent with treatment.
  • With the passage of HB 1516, § 208.152(7), chiropractors are included in the MO HealthNet Program and now allows, . . . subject to appropriation, up to twenty (20) visits per year for services limited to examinations, diagnoses, adjustments, and manipulations and treatments of malpositioned articulations and structures of the body provided by licensed chiropractic physicians practicing within their scope of practice.

CEU Requirements Expanded:

  • As amended, § 324.046 RSMo provides that any Missouri licensed healthcare professional may annually complete training in the areas of “suicide assessment, referral, treatment and management,” which may qualify as part of the continuing education requirements of the professional’s licensing authority with the Division of Professional Registration for renewal of licenses.

Continue reading »

Modernizing Healthcare Legislation in the Face of the Opioid Crisis

Health Care Law Practice Group

By Health Care Law Practice Group



opioid crisis

In 2016, opioid overdoses accounted for more than 42,000 deaths in America. It was estimated that 11.5 million people misused opioid prescriptions and 2.1 million people suffered from an opioid use disorder that same year.[1] From July 2016 to September 2017, the Center for Disease and Prevention found that opioid overdoses increased 30% in 45 states; however, the Midwest region alone saw a 70% increase.[2] On October 26, 2017, President Trump declared the opioid crisis a national Public Health Emergency under federal law.

While the federal government has responded by allotting six billion dollars to assist in the treatment and prevention of opioid overdoses, hospitals and medical providers still face barriers when it comes to the disclosure of medical information related to these overdoses due to conflicts between HIPAA and other federal law. Congress is working to resolve this conflict.

In 2017, the Department of Health and Human Services Office for Civil Rights (OCR) released a new HIPAA Guidance on when and how healthcare providers may share a patient’s health information with his or her family members, friends, and legal representative if the patient is in crisis. Current HIPAA regulations permit (but do not require) healthcare professionals to disclose health information without a patient’s consent if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment of care. This allows a provider to talk to the parents of someone incapacitated by an opioid overdose about the overdose, but generally does not allow disclosure of medical information unrelated to the overdose without the patient’s permission. Continue reading »

The EEOC Catches the Flu: A Cautionary Tale for Employers With Mandatory Flu Vaccination Programs

Katherine M. Flett

By Katherine M. Flett



flu shotAfter enduring one of the worst flu seasons in nearly a decade, there is no question why more employers are instituting mandatory flu vaccination programs. In fact, mandatory flu vaccination programs are increasingly popular for healthcare employees.

No current laws in Missouri or Illinois mandate all health care employees to be vaccinated against the flu. That being said, nursing home employers in Missouri are required to either offer the flu shot to all employees and volunteers who have direct contact with residents, or provide the employees and volunteers with information about how they can obtain the flu shot independently. Similarly, health care employers in Illinois are required to provide all employees with education on influenza, as well as the opportunity to receive the vaccine. Some states, such as California and Maryland, require hospitals to publish their employee vaccination rates to the public.

When instituting a mandatory flu vaccination program, however, an employer should be aware of the possible ramifications of denying or terminating employment for refusal to comply with a mandatory flu vaccination program on the basis of religious beliefs.  Continue reading »

The Intersection of HIPAA and Cloud Storage

Katherine M. Flett

By Katherine M. Flett



Our ever-evolving technological society is raising new questions about how to reconcile complex health data protection laws with cloud storage.  Storage of data in the “cloud” allows users to store, maintain, and manage data remotely on the internet.  Its advantages include accessibility of the cloud-stored data from any location via the internet, emergency back-up capacity, and even cost savings.  An online search for HIPAA-compliant cloud storage companies reveals that there is no shortage of companies who advertise their “HIPAA-compliant cloud services.”  It is important to remember that working with a company who claims their cloud storage “is HIPAA compliant,” does not excuse you from meeting HIPAA requirements.  Due diligence is required when selecting such a company and entering into appropriate contractual arrangements with the companies.

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) is responsible for overseeing protection of sensitive health data under the Health Insurance Portability and Accountability Act, as amended (“HIPAA”). OCR issued guidance on October 6, 2016, explaining how to safeguard electronic health information protected by HIPAA in today’s widespread cloud networking environment.

HIPAA applies to “covered entities,” and this article will focus on one such covered entity, the health care provider.  Most health care providers do not perform all of their health care functions by themselves and instead often use a range of services offered by others, called “business associates” under HIPAA.  Health care providers are permitted to disclose protected health information (“PHI”) to these business associates (“BA”) as long as they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the health care provider, will safeguard the information from misuse, and will help the health care provider comply with some of the health care provider’s duties under HIPAA, through the execution of business associate agreements.

Continue reading »

New Requirements for Health Care Providers Under Missouri’s Health Care Cost and Transparency Act

Katherine M. Flett

By Katherine M. Flett



On May 25, 2016, Missouri Senate Bill 608 was passed by the Missouri House and Senate.  The Bill adds new requirements to the provision known as the “Health Care Cost and Transparency Act.” Beginning July 1, 2017, the new law requires all licensed health care providers, facilities, and imaging centers to provide an estimate on the cost of a particular health care service or procedure within three business days of a written request from the patient, along with a medical treatment plan from the patient’s health care provider. The estimate must only include those services within the direct control of the health care provider and the amount that will be charged to a patient if all of the charges are paid in full by the patient, without a public or private third-party paying for any portion of the charge. Further, these provisions do not apply to charges for hospital emergency departments.

If health care providers provide publicly available links to the estimated costs or post such costs on a publicly available website, they are not required to provide cost estimates to patients upon written request.

Beginning also July 1, 2017, hospitals will be required to make publicly available the amount that would be charged, without discounts, for each of the 100 most prevalent diagnosis-related groups, as defined by Medicare. Continue reading »

HIPAA Non-Compliance Results in Largest Single-Entity Settlement to Date

Katherine M. Flett

By Katherine M. Flett



On August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) entered into a settlement agreement with Advocate Health Care Center (Advocate) in which Advocate agreed to pay $5.5 million to settle multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  This is the largest HIPAA settlement against a single entity to date, and according to OCR, is due to the severity of the violations and the length of time that those violations continued.

According to OCR’s press release, OCR began its investigation of Advocate in 2013, after Advocate submitted three breach notification reports relating to three separate instances of breach of unsecured electronic protected health information (ePHI).  The combined breaches resulted in unsecured access to over four million patients’ information. Continue reading »

Another State Rules That Patients Can Sue For Negligence for Violating HIPAA Regulations

Health Care Law Practice Group

By Health Care Law Practice Group



The Connecticut Supreme Court has now joined Missouri, West Virginia and North Carolina in rulings connecting HIPAA with negligence lawsuits by patients.

In a case of first impression in Connecticut, the state’s Supreme Court ruled that a patient can sue a medical office for HIPAA negligence if it violates the patient’s privacy when improperly releasing the medical records to a third party. There is no dispute that HIPAA does not create a private cause of action. Increasingly, however, HIPAA can provide the standard of care for a medical office in how it releases confidential medical records and can be found negligent if it releases such medical records contrary to the requirements of the HIPAA regulations. Continue reading »

Hacked Hospital Network Includes Outstate Missouri Hospitals

Health Care Law Practice Group

By Health Care Law Practice Group



4.5M Records Stolen, HIPAA violation

In June 2014, hackers in China used high-end, sophisticated malware to launch criminal cyber-attacks to access patient information from a national hospital system. Community Health Systems, Inc. (“CHS”), operates 206 hospitals across the U.S. in 29 states, including four located in Missouri (Kennett, Kirksville, Moberly, and Poplar Bluff). The breached data is considered protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”).

In a filing with the U.S. Securities and Exchange Commission, CHS said the attacker was an “Advanced Persistent Threat” group which bypassed CHS’ security measures, successfully copying and transferring certain data outside CHS. Although CHS has confirmed that this data did not include patient credit card, medical, or clinical information, the breach does include patient names, addresses, birth dates, telephone numbers and Social Security numbers. CHS has been working closely with federal law enforcement authorities in connection with their investigation and potential prosecution of those determined to be responsible for this attack.

Under various state and federal laws, CHS is obligated to notify affected patients. The Department of Health and Human Services provides a web page describing the breach notification requirements of covered entities to effected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. Continue reading »

Mizzou Story Highlights Tension Between Doctor-Patient Privilege and Protecting the Patient

Health Care Law Practice Group

By Health Care Law Practice Group



A story concerning the death of a female athlete by suicide, her alleged rape, and the role played by the university she attended in the tragic facts has placed the issue of patient confidentiality squarely in the headlines.  The story highlights the care that must be taken to protect a patient’s ability to speak candidly and honestly to his or her medical provider without fear that such information will be divulged to anyone else without the patient’s permission.

The female student athlete had committed suicide in 2011, approximately 16 months after her alleged rape in 2010 by another student athlete at the school.  According to an email posted to Mizzou’s website on January 24, 2014, an ESPN producer of “Outside the Lines” wanted to know if University of Missouri officials planned to investigate or notify law enforcement about the alleged rape.  Just hours before publishing the story, the ESPN producer asked university officials: Continue reading »

Skip to content