Many business operators know that the federal privacy rules under the Health Insurance Portability Act (HIPAA) apply to health information maintained by “covered entities,” such as health care providers and health plans. Fewer know that new regulations, effective September 2013, expand the scope of direct responsibility for compliance.
Now, HIPAA rules directly apply to “business associates” of covered entities. Business associates, like covered entities, are subject to penalties of $100 to more than $50,000 per HIPAA violation, says Jules S. Henshell, of counsel at Semanoff Ormsby Greenberg & Torchia, LLC. If the violation resulted from willful neglect, the Department of Human Services’ Office of Civil Rights (OCR) must impose a penalty of at least $10,000 per violation, which increases to at least $50,000 if the violation isn’t corrected within 30 days.
“As recently as December 2013, a dermatology physician practice was required to pay a $150,000 fine arising from the a report of the theft of an unencrypted ‘thumb drive’ from a vehicle,” Henshell says. “That settlement with OCR is a clear signal that covered entities and their business associates are potential targets of HIPAA enforcement actions regardless of their size.”
Smart Business spoke with Henshell about managing HIPAA risk in your company.
Who qualifies as a business associate?
A business associate is any entity that creates, receives, maintains or transmits protected health information (PHI) in the course of performing services on behalf of a covered entity. Any business that handles PHI, such as billing and coding companies, information technology contractors, document storage or destruction companies, accountants and lawyers, may be subject to the new regulations. If a business associate uses a subcontractor to perform services that involve handling PHI, the subcontractor must also comply.
Where do companies routinely fail to take adequate action?
Health care providers and their business associates increasingly rely upon technology to record, store and manage data. That data may include PHI.
It is not uncommon for personnel to work remotely or take work home. Employees routinely use personal smartphones or home computers to access business email and documents. Such conduct can promote efficiencies, but it also gives rise to the risk of privacy or security breaches in the absence of adequate technical and physical safeguards.
What preventive actions do you recommend?
Benjamin Franklin got it right when he said, ‘An ounce of prevention is worth a pound of cure.’ It is not enough to adopt policies and procedures for protecting patient privacy. As in the case of the stolen thumb drive, security breaches may be avoidable if a company establishes, monitors and enforces appropriate safeguards.
Businesses that handle PHI should review and update policies governing patient privacy and evaluate whether they have adequate administrative, technical and physical safeguards to protect the integrity, confidentiality and availability of electronic PHI. They should establish computer access controls, use firewalls, virus protections and encryption; back up data; and implement security policies and procedures to meet HIPAA’s expanded scope.
They also need written agreements with business associates and/or subcontractors to protect and secure patient information.
Do you have any other advice?
The new regulations impose significant requirements on business associates to:
- Perform and document a risk assessment of computer systems and portable devices.
- Implement administrative, technical and physical safeguards to protect the integrity, confidentiality and availability of PHI.
- Enter into and perform in accord with a written business associate agreement with covered entities to protect privacy and security of PHI.
- Report privacy breaches and security incidents to the covered entity. Health care providers routinely require contractors to sign business associate agreements containing indemnification provisions that increase responsibilities and risks. Before signing, determine whether your business really is a business associate. ●
Insights Legal Affairs is brought to you by Semanoff Ormsby Greenberg & Torchia, LLC
The Family and Medical Leave Act (FMLA) entitles eligible employees of covered employers to take unpaid, job-protected leave for specified family and medical reasons. However, should an employer fail to comply with the FMLA requirements, the employer could be subjecting itself to litigation and possibly fines from the Department of Labor.
“There are a lot of obligations on the employer. To the extent that you’re not aware of these, you should contact an attorney to make sure you’re following the strict requirements of the FMLA,” says Michael B. Dubin, a member at Semanoff Ormsby Greenberg & Torchia, LLC.
Smart Business spoke with Dubin about employer compliance with the FMLA.
What does the FMLA allow employees to do?
Eligible employees are entitled to 12 workweeks of unpaid leave in a 12-month period for:
- The birth of a child and to care for the newborn child.
- The placement with the employee of a child for adoption or foster care and to care for the newly placed child.
- To care for the employee’s spouse, child or parent who has a serious health condition.
- A serious health condition that makes the employee unable to perform the essential functions of his or her job.
- Any qualifying exigency arising out of the fact that the employee’s spouse, son, daughter or parent is a covered military member on ‘covered active duty;’ or 26 workweeks of leave during a single 12-month period to care for a servicemember with a serious injury or illness if the eligible employee is the servicemember’s spouse, child, parent or next of kin (military caregiver leave).
What employers are covered by FMLA?
The FMLA only applies to employers that meet certain criteria. A covered employer includes a private-sector employer with 50 or more employees in 20 or more workweeks in the current or preceding calendar year; and public agencies and public or private elementary or secondary schools, regardless of the number of employees.
What employees are eligible for FMLA leave?
Employees are eligible if they: have been employed by a covered employer for at least 12 months, which need not be consecutive; had at least 1,250 hours of service during the 12-month period immediately preceding the leave; and are employed at a worksite where the employer employs at least 50 employees within 75 miles.
Can an employee take intermittent leave?
Under certain circumstances, an employee may take FMLA leave on an intermittent or reduced schedule basis. That means an employee may take leave in separate blocks of time or by reducing the time worked each day or week for a single qualifying reason. When leave is needed for planned medical treatment, the employee must make a reasonable effort to schedule treatment so as to not unduly disrupt the employer’s operations. Employers must be careful to accurately track intermittent leave.
Can an employee be terminated at the conclusion of the 12-week leave?
Upon return from FMLA leave, an employee must be restored to his or her original job or to an equivalent job with equivalent pay, benefits, and other terms and conditions of employment. However, there is a limited exception for ‘key employees’ where reinstatement will cause ‘substantial and grievous economic injury.’
Many employer FMLA policies provide that if an employee fails to return to work at the conclusion of the 12-week leave, the employee will be deemed to have abandoned his or her job and/or will be automatically terminated. Employers are discouraged from maintaining this type of policy as it may be deemed a violation of an employee’s rights under the Americans with Disabilities Act (ADA). At the conclusion of an employee’s FMLA leave, employers should consider whether the employee will be able to perform the essential functions of the job with or without a reasonable accommodation (pursuant to the ADA), which may include additional time off following FMLA leave.
If confronted with an issue under FMLA, employers are cautioned to contact an attorney to ensure they are acting in conformity with the FMLA and avoiding the numerous pitfalls inherent in complying with the FMLA.
Michael B. Dubin is a member at Semanoff Ormsby Greenberg & Torchia, LLC?. Reach him at (215) 887-2658 or email@example.com.
Insights Legal Affairs is brought to you by Semanoff Ormsby Greenberg & Torchia, LLC