Ungaretti & Harris LLP
About U&HServicesProfessionalsNews/Publications/EventsCareers
print pdf / print this page /

Search
Go

Practices: HIPAA

When the Health Insurance Portability and Accountability Act (HIPAA) took effect in 2002, it brought sweeping changes in how you handle the privacy, portability, electronic transmission and security of every patient’s protected health information (PHI). With the America Recovery and Reinvestment Act of 2009 (the “Stimulus Bill” or “ARRA”), came numerous changes to HIPAA. The changes include expanding the reach of HIPAA and the scope of its civil and criminal penalties, imposing new notice requirements for privacy breaches, further limiting the sale of PHI, opening up enforcement activity to State Attorneys General, and otherwise significantly tightening up privacy practices and heightening compliance risks. Hospitals, nursing homes, insurers and their service providers all have ongoing responsibility not only to comply with the law but to evaluate the effectiveness of their compliance efforts.

Privacy Requirements

Whether you’re an administrator with general HIPAA responsibilities or a Chief Privacy Officer charged with full compliance oversight, Ungaretti & Harris will partner with you to ensure that your privacy procedures are full and effective. Our work with numerous healthcare providers throughout the Midwest enables us to give you best-practice advice on:

  • Procedures for handling HIPAA Privacy Rule complaints.
  • Written policies and procedures that incorporate and implement safeguards to preserve health record integrity, confidentiality and availability.
  • Individual consent and authorization forms.
  • Standard forms to grant or deny requests for restrictions on the access, use, disclosure or amendment of PHI.
  • Procedures for giving notice of information practices. 
  • PHI disclosure logs.

Security Requirements

Your HIPAA security concerns increasingly focus on electronic transfer of health data. Your best assurance that proper procedures and safeguards are in place is a working partnership with our HIPAA lawyers and your IT personnel and suppliers. We review your policies for password protection, computer terminal access and data encryption, and make any necessary recommendations for remedial action. Given the major concern for data security of personal files in connection with employee benefit determinations, you get the added benefit of advice from one of the top ERISA practices at any mid-sized law firm.

Business Associate Agreements

Your hospital or provider organization understands the importance of PHI, but do your vendors and outside service providers? All contracts, new and existing, with all such outside companies must have adequate safeguards for any PHI that they may deal with. Insurers, third-party administrators, information technology providers – even cleaning service contractors – all must be HIPAA compliant and the Stimulus Act has significantly changed the role of a Business Associate, subjecting them to the same safeguards, policies, procedures and potential penalties as Covered Entities. This will change vendor contacts and the way many Business Associates operate as they must tighten up practices and prepare for HIPAA increased enforcement activity. We ensure that your vendor agreements contain full safeguards that document requirements and responsibilities for proper handling of PHI.

Compliance Audits

Your best assurance of ongoing HIPAA compliance is to ask an Ungaretti & Harris healthcare lawyer to conduct a compliance audit at your facility. You will get an on-site review, complete with employee interviews, document examination and procedure assessment. The result is a final report containing factual findings, legal analysis and procedural recommendations covering all aspects of your HIPAA compliance. After your review of our findings, we can provide any necessary training and prepare any additional documentation and manuals to ensure that your staff understands their HIPAA responsibilities.

Litigation/Investigations

Your organization could at any time face a request seeking to make you release PHI to a law enforcement officer, court, or administrative body. We’ve helped clients respond to many such requests, and are skilled at demonstrating whether they show adequate cause for you to make the disclosure (for example, to assess competency to remain in a business partnership). You get definitive answers on what information, if any, you need to provide and who you are authorized to provide it to in a way that meets both your disclosure and privacy requirements.

Protection

HIPAA carries both civil and criminal penalties, and many states have enacted similar statutes that impose even greater penalties for noncompliance than the federal law. With the ARRA, we fully expect states to pursue HIPAA violations, increasing the need for careful compliance. Our informed guidance about best practices in the ways electronic health and benefit information is coded, stored, retained and communicated, can be crucial in helping you to avoid costly legal sanctions. There is no reason to lay awake nights wondering whether HIPAA puts you at risk. Get answers from Ungaretti & Harris.