HIPAA Blog

HIPAA and Same-sex Marriage

Understanding Relationships & HIPAA

The HIPAA Privacy Rule recognizes the important role that family members, such as spouses, often play in a patient’s health care.  Most importantly HIPAA and Same Sex marriage has become an important topic to be understood. It requires covered entities to treat an individual’s personal representative, who may be a spouse, as the individual responsible under the Privacy Rule, including the right to access the individual’s health information.  In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which also includes certain information about family members of the individual, for underwriting purposes. 

A Major Court Decision

On June 26, 2013, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional in United States v. Windsor.  Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. By making this decision the federal government recognizes the rights of individuals in same-sex marriages.  This decision did not resolve the status of such rights under state law.  Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.

Additional Decisions

On June 26, 2013, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional in United States v. Windsor.  Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. By making this decision the federal government recognizes the rights of individuals in same-sex marriages.  This decision did not resolve the status of such rights under state law.  Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States

Effects of the Decisions

In light of the Windsor and Obergefell decisions, this guidance makes clear that the terms marriagespouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. This guidance also updates and expands on related guidance issued in September 2014.     

Marriage, Spouse & Family Member

The definition of family member in the Privacy Rule at 45 CFR 160.103 includes the terms spouse and marriage.  The term marriage includes all lawful marriages. A lawful marriage is any marriage sanctioned by a state, territory, or a foreign jurisdiction as long as a U.S. jurisdiction would also recognize the marriage performed in the foreign jurisdiction. The term spouse includes all individuals who are in lawful marriages without regard to the sex of the individuals. The term family member includes lawful spouses and dependents of all lawful marriages.  In addition, the terms marriagespouse, and family member apply to all individuals who are legally married, regardless of where they live or receive health care services.

family member is relevant to the application of §164.510(b) regarding permitted uses and disclosures of PHI related to another person’s involvement in an individual’s care, and for making notifications about the individual’s location, general condition, or death.  In addition under certain circumstances, HIPAA permits covered entities to share an individual’s protected health information with a family member of the individual.  Legally married spouses are family members for the purposes of applying this provision.

The Source

This material was taken directly from the HHS.gov site at the following link.

We can help you

These are important recent changes that will affect how you deal with partners and same sex marriages. If you have any questions please contact us.

The HIPAA Omnibus Bill Is Here

The HIPAA Omnibus Bill is here and Anesthesia Compliance Consultants  summarized the major provisions of the HIPAA Omnibus Rule, which will be effective March 26, 2013.  Consequently, the compliance date will be September 23, 2013. This will affect anesthesia practices in many wa

Final modifications to HIPAA

1. First, it makes business associates of covered entities directly liable for compliance with HIPAA Privacy and Security Rules’ requirements.

Secondly, it strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization.

Next it expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.

Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.

In addition it modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.

Finally it Adopts the additional HITECH Act enhancements to the Enforcement Rule such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

2.  Of interest it creates changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule.

3. In addition it makes changes to Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule.

4. Finally, it modifies the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule in 2009.

Be Prepared for Omnibus Bill

The HIPAA Omnibus Bill is here and Anesthesia Compliance Consultants will send out a series of newsletters. As a result these will help you understand the ramifications of the new rule. Most importantly, you must understand the changes to Business Associate Agreements, Breach Notification and increased monetary fines and penalties for violations.

Lack of HIPAA Policies

Lack of policies expensive

Big Settlement!

Settlement for HIPAA Violations

The Office for Civil Rights announced a settlement of potential violations of the HIPAA and Breach Notification Rules on December 27, 2013 with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (AP Derm). Most important this indicates how lack of HIPAA policies is expensive.

As a consequence, AP Derm settled potential violations with the OCR for a $150,000 payment and a corrective action plan. In brief, AP Derm is a private dermatology practice with four locations in Massachusetts and two in New Hampshire.

Lack of Policies

This is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. In addition, the covered entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities.

Lack of Risk Analysis

The OCR investigated AP Derm after it received a report of a stolen unencrypted thumb drive from a vehicle of one of its staff members containing electronic PHI. Afterward, upon investigation, it was determined the group did not conduct a risk analysis of the potential vulnerabilities, did not fully comply with the Breach Notification Rule and failed to have written policies and procedures and train its employees.

Penalties for Violations

Most importantly, if you violate HIPAA the severity of the penalty may vary. Furthermore, the OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or  issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious financial penalties may be appropriate.

HIPAA Breach Leads to Lawsuit

Breach Resulted in a Lawsuit

The Privacy Rule

They key provisions of the Privacy rule are to protect any PHI that is held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. This is the responsibility of all institutions that handle PHI. On occasion not everything goes according to plan and a breach does occur. It is important to know what to do at that time. We share with you a situation in which “HIPAA breach leads to lawsuit.”

Breach Notification

The Breach Notification rule requires covered entities to notify affected individuals, HHS and sometimes the media of the breach of unsecured PHI. In addition, notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notification of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. This rule also requires business associates of covered entities to notify the covered entity of the breach. Above all, it is critical that the affected individuals be notified of the nature and extent of the breach. Our experts can provide you with important guidance on Breach Notification.

Hospital Faces Legal Battle

North Shore-Long Island Jewish Health System faced a widening legal battle over allegations that it failed to notify hundreds of patients that an identity-theft ring had stolen their unprotected confidential information. This breach resulted in a lawsuit.

Recently patients brought a lawsuit against New York State’s North Shore-Long Island Jewish Health System for $50 million for allegedly allowing a data breach that violated confidential patient information and failing to report this to the affected patients for almost a year.

Physician Files Lawsuit

The health system employs one of the people involved in the suit. She worked for North Shore-LIJ for 17 years and was a patient at a system hospital on Jan. 23, 2012, the lawsuit says.

Soon after, police in Arlington, Va., discovered the face sheet from Peterman’s procedure among a pile of documents confiscated during a routine traffic stop there. Eventually the health system learned of the discovery on Feb. 5, 2012, the lawsuit says, yet North Shore officials waited until March 20 to notify her.

In the meantime, Peterman received a bill from AT&T stating that someone had used her information to open five cell phone accounts and run up $2,292 in charges, damaging her credit rating.

Peterman works as an emergency room physician at the system’s 299-bed Huntington (N.Y.) Hospital, Lynam confirmed.

Summary of the Case

Twelve patients out of a group of 100 affected individuals filed a suit. An individual stole data from the North Shore University Hospital in Manhasset.  The information consisted of PHI including names, addresses, birthdays, phone numbers and Social Security numbers.  The health system sent letters to approximately 200 patients with compromised identity following the breach and offered them free credit monitoring.  Officials discovered and investigated the disclosure and one year after, the covered entity did the breach analysis.  Lawyers for the 12 patients say this was too little and too late to help their clients.

What you must know

The main issue, a provider must remember is to take breach reporting seriously to stay out of harms way. In today’s environment it is not whether but when a breach will affect an organization. It is important to be prepared.

HIPAA Associates is prepared to assist you with your breach reporting. We can make your job much easier.