REGULATORY REVIEW HIPAA Enforcement Activities by Year

20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0

2003 2004 2005

Corrective Action Required Total Complaints

2006 2007 2008 2009 2010 2011 2012 Technical Assistance Provided

No Violation or Resolved without Corrective Action

state law can place additional require- ments on an ASC so it is essential to address state laws when designing a HIPAA compliance program. Sec- ond, an ASC should not disclose PHI to any group, regardless of its level of authority, unless the request meets the requirements of the Privacy Rule. When requests do not satisfy the requirements of the Privacy Rule, as in the above example, or for subpoenas not accom- panied by a court order, an ASC should contact the requesting party to explain the Privacy Rule’s requirements and determine that reasonable efforts have been made to ensure that the individ- ual whose PHI is being sought received notice of the request, and that the party seeking the information made reason- able efforts to secure a qualified protec- tive order, if applicable.

Improper Disclosure Due to Lack of Business Associate Agreement What Happened:A complaint alleged that a law firm working on behalf of the covered entity in an administrative pro- ceeding impermissibly disclosed the PHI of a patient. OCR investigated the allegation and found no evidence that the law firm had impermissibly dis- closed the patient’s PHI. However, the investigation revealed that the covered entity and the law firm had not entered into a Business Associate Agreement


as required by the Privacy Rule. With- out a properly executed agreement, a covered entity may not disclose PHI to its law firm.

Result: To resolve the matter, OCR required the covered entity and the law firm to enter into a business associate agreement.

Takeaway for ASCs: It is critical that ASCs and their business associates enter into a valid Business Associate Agreement before PHI is disclosed and that ASCs have procedures in place to ensure staff disclose PHI only to valid Business Associates. This should be an ASC’s primary concern when contract-

Track the Latest Regulatory and Legislative News for ASCs

Visit ASCA’s web site every week to stay up to date on the latest government affairs news affecting the ASC industry. Every week, ASCA’s Government Affairs Update newsletter is posted online for ASCA members to read. The weekly newsletter tracks and analyzes the latest legislative and regulatory developments concerning ASCs. GovtAffairsUpdate

Result: OCR required the covered entity to correct the flaw in its com- puter system, review all transactions for a six-month period and correct all corrupted patient information.

Takeaway for ASCs: An ASC’s com- pliance program should specify proce- dures for regularly testing the security of all hardware and software used by the ASC. Additionally, an ASC should have procedures for documenting and honoring patients’ requests to be con- tacted in certain ways. For example, if a patient requested that an ASC contact only a provided mobile phone number, that request should be honored by staff and automated systems.

These examples are far from com-

prehensive but illustrate scenarios that a HIPAA compliance program must cover. It is essential that an ASC has a thoroughly documented compliance program and that staff receive comprehensive training relat- ing to their responsibilities. For more scenarios and overall guidance on designing and evaluating an ASC’s HIPAA compliance program, refer to the ASCA Foundation’s HIPAA Work- book for ASCs, accessible to all facil- ity and corporate members on ASCA’s web site.

Steven Selde is ASCA’s assistant regulatory counsel. Write him at

2013 2014

ing with new associates who might receive PHI, even law firms.

Improper Disclosure Due to Automated System Error

What Happened: A covered entity sent an explanation of benefits by mail to a complainant’s unauthorized fam- ily member. OCR’s investigation deter- mined that a flaw in the covered enti- ty’s computer system put the PHI of approximately 2,000 families at risk of improper disclosure.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34