Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment
Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment
Covered Entity: Outpatient Facility
Issue: Impermissible Uses and Disclosures
An outpatient surgical facility disclosed a patient's protected
health information (PHI) to a research entity for recruitment purposes
without the patient's authorization or an Institutional Review Board
(IRB) or privacy-board-approved waiver of authorization. The outpatient
facility reportedly believed that such disclosures were permitted by the
Privacy Rule. OCR provided technical assistance to the covered entity
regarding the requirement that covered entities seeking to disclose PHI
for research recruitment purposes must obtain either a valid patient
authorization or an Institutional Review Board (IRB) or
privacy-board-approved alteration to or waiver of authorization. Among
other corrective actions to resolve the specific issues in the case, OCR
required the outpatient facility to: revise its written policies and
procedures regarding disclosures of PHI for research recruitment
purposes to require valid written authorizations; retrain its entire
staff on the new policies and procedures; log the disclosure of the
patient's PHI for accounting purposes; and send the patient a letter
apologizing for the impermissible disclosure.
| May a covered entity dispose of protected health information in dumpsters accessible by the public? For example, depending on the circumstances, proper disposal methods may include (but are not limited to): Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.In justifiable cases, based on the size and the ...read more |
| Tuesday, November 1, 2022 Modernizing Medicine Inc. (ModMed), an electronic health record (EHR) technology vendor located in Boca Raton, Florida, has agreed to pay $45 million to resolve allegations that it violated the False Claims Act (FCA) by accepting and providing unlawful remuneration in exchange for referrals and by causing its users to report inaccurate information in connection with claims for federal incentive payments. The Anti-Kickback Statute prohibits anyone from offering or paying, directly or indirectly, any remuneration — which includes money or any other thing of value — to induce referrals of items or services covered by Medicare, ...read more |
| Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI? This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded. Yes. When an individual requests access to her PHI and the covered entity intends to charge the ...read more |
| Dentist Revises Process to Safeguard Medical Alert PHI Covered Entity: Health Care Provider Issue: Safeguards, Minimum Necessary An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the practice to revise its policies and operating ...read more |
|
August 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
EHR Fraud (1)
ePHI (2)
Telehealth (1)
HIPAA Enforcement (3)
PPP Fraud (1)
Data Breach (1)
Covered Entity (40)
HIPAA (2)
BAA (4)
|
