Long Term Care & Senior Living Blog

On June 29, 2016, the Office of Civil Rights (OCR) announced a Resolution Agreement it entered with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) a business associate of six nursing homes. This Resolution Agreement included a monetary payment of $650,000 and a Corrective Action Plan (CAP). The CAP requires CHCS to conduct a risk analysis and risk management, to develop and maintain written policies and procedures as well as to train all members of the CHCS workforce with access to ePHI within 60 days of the CAP in compliance with HIPAA, and to submit annual reports and attestation of CHCS’ compliance with the CAP for two years following the execution date of the Resolution Agreement.

The U.S. Department of Justice (“DOJ”), in trying to initiate quicker enforcement actions and prosecutions, has created several Elder Justice Task Forces to target health care providers who commit crimes in the service of the elderly. The Task Forces are comprised of representatives from federal, state and local law enforcement, the U.S. Department of Health and Human Services, state adult protective services agencies, long-term care ombudsman programs, U.S. Attorneys’ offices, state Medicaid fraud control units, and state and local prosecutors.

$1.55 Million Settlement focuses on HIPAA requiring Business Associate Agreements

The HIPAA Final Rule has been in effect since 2013, but HIPAA settlements following breaches continue to be reported. If you think the need for a risk analysis under HIPAA is not important, think again! On December 14, 2015, the Department of Health and Human Services (HHS) announced another $750,000 HIPAA settlement with the University of Washington Medicine (UWM). This settlement not only involves a payment of $750,000 but also requires a corrective action plan and annual reports to the Office for Civil Rights (OCR) on UWM’s compliance efforts. The settlement follows an OCR investigation after UWM reported a breach of electronic protected health information (ePHI) involving approximately 90,000 individuals after an employee downloaded an email attachment containing malicious malware. As a result, UWM’s IT system involving 76,000 patients names, medical record numbers, dates of service, and/or charges or bill balances as well as approximately 15,000 patients’ names, medical record numbers, and other demographics were compromised.

It will happen to almost any medical malpractice, product liability, or personal injury defense attorney at some point. You are going to attend one of the plaintiff’s treating medical provider’s deposition, and the doctor’s attorney has asked you to send the plaintiff’s medical records and a copy of the Complaint for the attorney to review. This request seems harmless enough, right? Only as long as you have the proper authorization, according to the holding in Thompson v. University of Chicago Medical Center, No. 2012 L 010412 out of the First Judicial District, Cook County, Illinois.