HIPAA (Health Insurance Portability & Accountability Act)
Healthcare providers, billing companies, as well as software and technology companies that serve the healthcare industry—even Healthcare attorneys and accountants—are all subject to privacy and security requirements. The regulations under federal laws such as HIPAA and HITECH are complex and constantly evolving, as are the industry standards for what counts as a “reasonable” safeguard. Failure to comply can result in large fines, lawsuits, and business reputation damage that can be catastrophic.
HIPAA protects the privacy of individually identifiable health information about a patient that is transferred to or maintained by a healthcare provider. HIPAA rules protect the information itself, regardless of what form it takes. Voicemails, telephone conversations, emails, faxes, even oral conversations that can be overheard are protected under HIPAA. Oversights in office design, employee training, and software choices can all lead to HIPAA violations. Of particular concern in this age of ransomware attacks and computer hacking is protecting information stored digitally.
Jackson Walker assists healthcare providers, employers, insurers, vendors, and managed care plans in ensuring compliance with HIPAA, HITECH, and other state and federal privacy laws and regulations. Our attorneys have extensive knowledge of the systems, software, and security necessary to control how electronic health and benefit information is coded, stored, retained, and communicated. This knowledge is essential to helping clients avoid costly legal sanctions.
Our attorneys are nationally recognized for their experience with HIPAA matters, and are frequently called on to speak at conferences and seminars. We combine our deep knowledge of HIPAA and other privacy laws with broader experience in our Healthcare, Cybersecurity, Employee Benefits, and Litigation practices, to deliver tailor-made, cost-effective solutions to health information privacy and security issues.
- Represented a hospital in responding to a cyber-attack involving deployment of ransomware.
- Represented a medical school in responding to HIPAA breach involving a stolen notebook containing medical information.
- Represented multiple hospitals and medical practices in addressing data breach investigations by HHS’ Office for Civil Rights.
- Represented multiple clients in investigating and responding to potential and actual data breaches and security incidents.
- Drafted form HIPAA documents, including Policies and Procedures, Notices of Privacy Practices, Business Associate Agreements, and Authorizations, for physician members of the Texas Medical Association.
January 17, 2022
Patient Blocks Exam Elements? Work With Them Before Turning Them Away | Part B News (Subscription Required)
Providers are usually obliged by contract and allowed by HIPAA to communicate an insured patient’s medical information to insurers. But, Jeff Drummond says, such patients may avail an exception in the HITECH Act that he calls the “hide rule,” by which “a patient may request that a health care provider not provide information relating to a particular service or treatment to an insurer for payment or health care operations purposes, so long as the patient has paid for the service or treatment in full, out of pocket, prior to making the request,” he says.
August 13, 2021
Still Missing a New Leader, Former OCR Directors, Experts Offer Advice, Task List | Report on Patient Privacy
Issue a final rule revising the privacy regulation and write guidance on the information blocking rule. Formalize the fledgling audit program required by Congress more than 10 years ago. Engage with providers and other HIPAA-regulated entities. And by all means, get cracking.
June 10, 2021
On June 20, 2021, Foo Fighters will perform at Madison Square Garden with only vaccinated people allowed to attend the full-capacity concert. In a Daily Caller article discussing the legality of private businesses refusing services to customers based on their vaccination status, Jeff Drummond noted: “HIPAA isn’t an issue. HIPAA only applies to health plans, health care data translation companies (called “health care clearinghouses”), and most (but not all) health care providers. Airlines, restaurants, landlords, and non-health care business owners are not subject to HIPAA.”
April 7, 2021
Healthcare partner Jeff Drummond discusses COVID-19 vaccine passports and the protections provided to an individual.
January 1, 2021
The Office for Civil Rights (OCR) is asking the public for ways to modify HIPAA regulations, specifically to drive cost savings and value, notes Jeff Drummond. The changes are intended to help HIPAA mesh better with coordinated care platforms and improve care coordination, he says.
July 30, 2020
Covered entities should ensure HIPAA compliance the same way they did pre-pandemic: by analyzing the risks and adopting safeguards that minimize those risks, Jeff Drummond mentioned in this article.
July 2, 2020
Prepare for Closer HIPAA Scrutiny of Telehealth as States and Practices Cautiously Reopen | Part B News
As states and medical practices slowly reopen and return to normal, the HHS Office for Civil Rights (OCR) will likely end its COVID-19 public health emergency telehealth waivers that were instituted in March.
April 15, 2020
Jeff Drummond discusses how the government is clarifying its flexible guidelines on how industries may apply privacy rules during this pandemic, and how once the emergency goes away, the rules will most likely return to their more rigid application.
April 9, 2020
Dallas partner Jeff Drummond was quoted in the Health Care Compliance Association’s Report on Patient Privacy about concerns related to providing lists of COVID-19-positive patients to first responders.
- Identification and resolution of HIPAA compliance violations
- Advice regarding maintenance of required HIPAA documentation
- Preparation and implementation of privacy and security policies and procedures to ensure that Protected Health Information (PHI) is kept private and secure
- Preparation of Notices of Privacy Practices
- Preparation of compliant consents, authorizations, and patient/beneficiary documentation
- Preparation and negotiation of Business Associate Agreements
- Initial and ongoing risk analysis and reviews
- Defense against HIPAA, HITECH, and other privacy claims
- Data breach and incident response, investigation, analysis, and litigation
- Cyber-insurance analysis, selection, and representation
- Employee and provider HIPAA training
- Updating agreements to comply with HIPAA and HITECH