ShareThe November 2019 issue of the Connecticut Medicaid Program’s Provider Quarterly Newsletter urges providers and their trading partners to routinely review and monitor “user roles” and levels of access that their representatives have to information exchanged with the Medicaid program. The Newsletter additionally recommends deactivation and removal of staff access of those separated from employment. A reminder to report all suspected protected health information (PHI) breaches and related incidents immediately and to develop and maintain training for staff on HIPAA compliance comprises the balance of the advice contained in the Connecticut Department of Social Services’ publication.
Those not already familiar with HIPAA’s breach reporting requirements, may wish to read the Submitting Notice guidance on the United States Department of Health and Human Services’ (HHS) website. Additionally, the Connecticut Attorney General’s website identifies reporting obligations that pertain to security breaches involving computerized data and not just PHI. Reporting requirements for PHI and other data breaches can arise under federal and state law as well as by contract. The full extent of notification responsibilities may depend on a variety of factors including the law of other states where patients may reside. Accordingly, providers and other covered entities are well advised to consult with an attorney and consider notifying their insurance company as well when confronted with a known or suspected data breach.
Attention to maintaining privacy and security of PHI could be more important than ever as new proposed rules covering the sharing of penalties by federal authorities with patients harmed by HIPAA violations may be issued in the new year. Currently, settlements with the HHS Office for Civil Rights result in payments to the government only and not patients. Private data breach lawsuits, sometimes brought as class actions, may follow or precede government action. In Connecticut one can bring a private cause of action for money damages for harms suffered as a result of unauthorized release of confidential information under the Connecticut Supreme Court’s decision in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. The Connecticut Attorney General and Connecticut Commissioner of Consumer Protection actively prosecute actions when significant data breaches occur. Breaches may also lead to penalties imposed on licensees as a result of complaints to the Connecticut Department of Public Health.
In this environment and with an anticipated push at the federal level to expand a patients' ability to control the use or disclosure of their PHI and to access PHI, providers and other custodians of PHI should be more motivated than ever to shore up their HIPAA practices as 2019 comes to a close and as the rules governing electronic health records continue to grow and evolve.
This blog/web site presents general information only. The information you obtain at this site is not, nor is it intended to be, legal advice, and you should not consider or rely on it as such. You should consult an attorney for individual advice regarding your own situation. This website is not an offer to represent you. You should not act, or refrain from acting, based upon any information at this website. Neither our presentation of such information nor your receipt of it creates nor will create an attorney-client relationship with any reader of this blog. Any links from another site to the blog are beyond the control of Pullman & Comley, LLC and do not convey their approval, support or any relationship to any site or organization. Any description of a result obtained for a client in the past is not intended to be, and is not, a guarantee or promise the firm can or will achieve a similar outcome.
About Our Connecticut Health Law Blog
Alerts, commentary and insights from the attorneys of Pullman & Comley’s Health Care practice on legal developments affecting hospitals, physician groups, pharmaceutical and medical device companies as well as other health care providers and suppliers.