The Security Breach Notification Rule

Laura Gerdes Long

By Laura Gerdes Long



A security breach notification only applies to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

WHAT IS A “BREACH” REQUIRING NOTIFICATION UNDER THE RULE?

HHS has defined “breach” to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. As we learned when the Privacy Rule was implemented, PHI generally cannot be used or disclosed without the individual’s prior, written authorization. However, the Privacy Rule also contains a laundry list of exceptions to the general rule. Consequently, covered entities may often have to scrutinize the Privacy Rule to determine whether a breach, indeed, even occurred. Hence, a breach will only occur if the following requirements are met: Continue reading »

Kicking the Habit and Getting Fit Helps Employers’ Bottom Lines

Laura Gerdes Long

By Laura Gerdes Long



Employee costs are the bottom line

The fact is that employee costs, and curbing those costs, are the “bottom line” for most employers. For years, employers have been struggling to control and minimize the rising costs of health care for their employees. Employers are increasingly forced to transfer health care costs to their employees through higher premiums, copayments and deductibles. Only in the past few years have employers realized that they can assist their employees in improving their overall wellness, while at the same time potentially reducing the employers’ health care costs. The methods that employers have begun experimenting with include implementing wellness programs, offering health risk assessments, and education.

Hard, Cruel Facts

Since 2000 U.S. healthcare cost increases have exceeded the overall inflation rate by a factor of two to five times. (National Coalition on Healthcare, Economic Cost Fact Sheets.)

Continue reading »

Physician Practices and Records Transfer in the HIPAA Era

Laura Gerdes Long

By Laura Gerdes Long



In the current environment, it seems that businesses are constantly changing hands, merging or dissolving. The question then is what happens with a patient’s medical records when a medically-based business is bought, sold or dissolved? State laws and HIPAA inform the answer.

In Missouri, patient records under the care, custody and control of a medical licensee must be maintained for a minimum of seven years from the date of when the last professional service was provided. (R.S.Mo. § 334.097).

Continue reading »

Personnel Records: What Goes Where

Laura Gerdes Long

By Laura Gerdes Long



Confusion abounds when it comes to deciding which employee personnel records go where, who can access which records and who cannot, and how records should be segregated. Human resource employees have long understood that an employee’s workers’ compensation records should be segregated from the employee’s typical personnel file containing such things as an application for employment, resume and salary change forms.

For the small employer, however, these kinds of decisions must be addressed by management, who may not always be experienced in the nuances of human resource law. In essence, three files should be maintained for each employee:

Continue reading »

Employer-Sponsored Group Health Plans & HIPAA

Laura Gerdes Long

By Laura Gerdes Long



If small business employers think that the Health Insurance Portability and Accountability Act—or what we fondly refer to as “HIPAA”—only applies to health care providers, they need to think again. Small business owners need to get hip to HIPAA because those that offer employer-sponsored health plans (as most do) must also protect the privacy of employees’ medical information.

Physician practices typically understand they are “Covered Entities” under HIPAA due to their status as medical providers but many are unaware they may carry the title of Covered Entity” by way of their employer status.

Continue reading »