Jeff Drummond is a partner in the health law section of Jackson Walker LLP. He primarily represents hospitals, physicians, and other providers in transactional and regulatory matters, with particular emphasis on Stark and Anti-Kickback issues. Drummond is a frequent writer and speaker on medical record privacy and security issues, and the legal issues involved in the use of social media in healthcare. He has written a blog on HIPAA since 2002, before the first HIPAA regulations became effective.

Is It Time To End The War Over Business Associate Agreements?

If you are involved in medical contracting at all, you are aware of the “BAA Wars.” HIPAA requires healthcare providers, health plans, and other covered entities to enter into “business associate agreements” (BAAs) with any vendors or contractors that will come into contact with medical records or other “protected health information” (PHI). Most “business associates” (as such vendors are known in HIPAA) and covered entities have their own form of BAA, which often leads to the immovable object/irresistible force situation: a big and powerful healthcare provider such as a large hospital system contracts with a big and powerful vendor such… Full Story

Breaking Down Healthcare’s Susceptibility To Hacking In Wake Of Anthem Breach

There are a lot of people saying that healthcare is particularly vulnerable to hacking. And, full disclosure, most of them stand to profit if you believe them (including HIPAA experts like me, in fact). The recent breach of insurance giant Anthem’s patient data gives an opportunity for a bunch of news articles on just this point. So let’s consider it for a moment. Much hacking and phishing is aimed at access to quick-value money: credit card numbers that can be used right away (with the victim perhaps not knowing about the use until the bill comes, or perhaps not even noticing it… Full Story

The Accidental Business Associate

Those of us involved in the healthcare field know about HIPAA and its requirements for the privacy and security of medical information. Many know that earlier this year, HHS published final regulations implementing 2009’s HITECH Act, which amended HIPAA in several important ways. One of the ways HIPAA changed was to place direct responsibility for HIPAA compliance onto business associates. Healthcare plans, hospitals, physicians, and other healthcare providers have been “covered entities” under HIPAA since it was first passed. Other entities that deal with medical information, such as billing companies, healthcare lawyers and accountants, and other vendors and service providers,… Full Story

Are Your HIPAA Notices in Order?

Previously I provided you with a list of areas to address in ensuring HIPAA compliance: determine if you are a business associate (or have vendors who are business associates); do a risk assessment; revise your policies and procedures and other documentation; prepare for a data breach; and train your workforce. I also gave some specific provisions to include in your business associate agreements. The last piece of the puzzle is making sure your Notice of Privacy Practices is sufficient. If you are a healthcare provider that provides services directly to patients, your NoPP is the document you give to each… Full Story

HIPAA Changes: How to Revise Your Business Associate Agreements

When HIPAA was originally enacted and the first set of regulations published, the statutory language specified that only certain “Covered Entities” would be required to abide by the law: health care providers, health insurance plans, and specialty health data entities known as health care clearinghouses.  That left many entities with regular access to medical information, such as billing companies, accountants, lawyers, pharmacy benefit management companies, and other healthcare entities and vendors, outside the scope of the law.  The original HIPAA regulations offered a fix for this conundrum: “Covered Entities” are required to enter into agreements with the “Business Associates” to… Full Story

A HIPAA To-Do List

Everyone in the healthcare industry is aware of the medical record privacy restrictions contained in the Health Insurance Portability and Accountability Act and its regulations (“HIPAA”), although HIPAA is probably as much misunderstood as it is misspelled.  The initial regulations of the Privacy Rule and the Security Rule, which became effective in 2003 and 2005, respectively, generated a great deal of activity as healthcare providers drafted agreements and implemented policies and procedures to become compliant with HIPAA. Enacted in early 2009 as part of the “Stimulus Bill,” the HITECH Act was the first statutory revision to HIPAA, making “business associates”… Full Story

BYOD: What’s your Policy?

It is a truism that modern medicine is one of the greatest triumphs of technology.  Therefore, it should come as no surprise that physicians, particularly the younger ones, tend to be “early adapters” of technology, and are among the most likely to acquire and use the latest gadgets.  As practitioners who see the value that the latest technological advances can bring to their patients, they are the among the first to get and use the newest phone, tablet, or other mobile technology.  These gadgets allow physicians to check their schedules, transmit the latest information on a particular patient to consulting… Full Story

Down With OPM: Why Fixing Healthcare is so Hard

A few weeks ago, my family and I had dinner at a friend’s house in Irving. It was one of those refreshingly cool early September Saturday nights, so we lingered after dinner on the back deck, well past sunset. Jim is a dentist and I’m a healthcare lawyer, so it’s not surprising that our post-prandial conversation turned to the troubles of the American healthcare system. That gave me the opportunity to tell my favorite parable about the healthcare system—which is actually a story about working at McDonald’s. When I was a teenager, a McDonald’s restaurant was built in my home… Full Story

NFIB v. Sebelius: More About Law Than Healthcare

As a healthcare lawyer, many friends and acquaintances have asked my opinion on the Patient Protection and Affordable Care Act Supreme Court case. Fortunately, the decision gave me a really easy answer to that question. Although it certainly didn’t break the way I thought it would—or, for that matter, hoped it would—it did vindicate what I have said all along about Obamacare and healthcare reform generally: The Affordable Care Act is much more focused on health insurance reform or health finance reform than it is on healthcare reform. And the Supreme Court case isn’t about healthcare at all; it’s all about… Full Story