The Security Breach Notification Rule

Health Care Law Practice Group

By Health Care Law Practice Group



A security breach notification only applies to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

WHAT IS A “BREACH” REQUIRING NOTIFICATION UNDER THE RULE?

HHS has defined “breach” to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. As we learned when the Privacy Rule was implemented, PHI generally cannot be used or disclosed without the individual’s prior, written authorization. However, the Privacy Rule also contains a laundry list of exceptions to the general rule. Consequently, covered entities may often have to scrutinize the Privacy Rule to determine whether a breach, indeed, even occurred. Hence, a breach will only occur if the following requirements are met: Continue reading »

Kicking the Habit and Getting Fit Helps Employers’ Bottom Lines

Health Care Law Practice Group

By Health Care Law Practice Group



Employee costs are the bottom line

The fact is that employee costs, and curbing those costs, are the “bottom line” for most employers. For years, employers have been struggling to control and minimize the rising costs of health care for their employees. Employers are increasingly forced to transfer health care costs to their employees through higher premiums, copayments and deductibles. Only in the past few years have employers realized that they can assist their employees in improving their overall wellness, while at the same time potentially reducing the employers’ health care costs. The methods that employers have begun experimenting with include implementing wellness programs, offering health risk assessments, and education.

Hard, Cruel Facts

Since 2000 U.S. healthcare cost increases have exceeded the overall inflation rate by a factor of two to five times. (National Coalition on Healthcare, Economic Cost Fact Sheets.)

Continue reading »

Physician Practices and Records Transfer in the HIPAA Era

Health Care Law Practice Group

By Health Care Law Practice Group



In the current environment, it seems that businesses are constantly changing hands, merging or dissolving. The question then is what happens with a patient’s medical records when a medically-based business is bought, sold or dissolved? State laws and HIPAA inform the answer.

In Missouri, patient records under the care, custody and control of a medical licensee must be maintained for a minimum of seven years from the date of when the last professional service was provided. (R.S.Mo. § 334.097).

Continue reading »

Employer-Sponsored Group Health Plans & HIPAA

Health Care Law Practice Group

By Health Care Law Practice Group



If small business employers think that the Health Insurance Portability and Accountability Act—or what we fondly refer to as “HIPAA”—only applies to health care providers, they need to think again. Small business owners need to get hip to HIPAA because those that offer employer-sponsored health plans (as most do) must also protect the privacy of employees’ medical information.

Physician practices typically understand they are “Covered Entities” under HIPAA due to their status as medical providers but many are unaware they may carry the title of Covered Entity” by way of their employer status.

Continue reading »

Skip to content