The Office of Inspector General’s (OIG) 2016 Work Plan, released November 3, 2015, calls for increased scrutiny of protections of electronic protected health information (“ePHI”) with respect to “networked medical devices.” Furthermore, the OIG indicated its plan to determine the “extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA)” regarding their use of electronic health records (“EHR”) systems. Thus, the OIG has indicated that there will be heightened focus on the HIPAA Security Rule, which addresses the administrative, physical and technical safeguards of ePHI (45 CFR Part 160 and Subparts A and C of Part 164).

The OIG specifically indicated that it will examine whether the U.S. Food and Drug Administration (“FDA”) is providing sufficient oversight of “networked medical devices” in hospitals. With this statement of priorities for 2016, the OIG has affirmed that the proliferation of devices, with their ability to store health information, creates real risks to the privacy and security of ePHI. Although the list of devices that store and transmit ePHI is vast and growing rapidly, the OIG specifically mentioned “dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network.” The OIG also recognized that these devices may create risks, whether they are wired or wireless.

The OIG also stated, “Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.” In highlighting the MDS2 forms, the OIG has effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.

Although it was not mentioned in the 2016 Work Plan, anyone using networked medical devices should bear in mind that improper disposal of such devices carries significant HIPAA risks. Specifically, for any of these devices that store ePHI locally, there is a risk of a HIPAA violation if the device is not stripped of all ePHI or otherwise destroyed prior to disposal. Indeed, in 2013, Affinity Health Plan Inc. entered a $1.2 million settlement agreement with the U.S. Department of Health and Human Services for returning multiple photocopiers to a leasing agent without first erasing the data contained on the hard drives of the copiers.
Continue Reading OIG Lists Cybersecurity of Medical Devices and HIPAA Among its Priorities for 2016

In 2015, the United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR) will begin enforcing the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) through random audits. Covered entities (including health care providers, health plans, and health care clearing houses) as well as business associates (including certain vendors that provide services for covered entities) are subject to being randomly selected for an audit.

The audit program comes as the result of Section 13411 of the HITECH Act, which requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR is tasked with enforcing these rules. A pilot audit program was established and conducted in November 2011 through December 2012, which led to the audit of 115 covered entities by KPMG on behalf of OCR. OCR has provided an on-line summary of results of the pilot audit program. Such results reveal that a majority of the compliance issues were related to the HIPAA Security Rule.Continue Reading HIPAA Compliance: Are You Prepared for the 2015 HITECH Act Audits?

As of September 23, 2014, the HITECH Act Omnibus Final Rule’s grandfather exemption for HIPAA-required business associate agreements (BAAs) has expired.  The HITECH Act Final Rule was released by the U.S. Department of Health & Human Services on January 17, 2013, making many changes to BAAs that are required under HIPAA.  While all new

As part of a growing trend in state legislatures across the country, the Florida Information Protection Act of 2014 (FIPA), § 501.171, expanded the requirements on covered entities that acquire, maintain, store or use personal information of Floridians. Effective July 1, 2014, FIPA’s new requirements should be reviewed by any entity with a presence in Florida. This post provides a few of FIPA’s highlights, including the significant changes from the state’s prior data breach notification statute. Click here for a more in-depth analysis of this new statute in the recent McGuireWoods Legal Alert.
Continue Reading FIPA Expands Florida’s Data Breach Notification Requirements