It seems we can’t have a conversation about data security these days without mentioning ransomware.  Public and private companies are reporting increasing numbers of ransomware attacks, and health care providers and business associates are no exception to this trend.

Ransomware – What is it?

At its most fundamental, ransomware is a type of malicious software that infiltrates a person or company’s computer system and encrypts certain data that is stored electronically.  Essentially, ransomware locks users out of accessing their data until a “ransom” is paid.  Ransomware may also be used in conjunction with other malware to gain access to IT systems in an effort to steal data housed within the IT system.

Although not expressly mentioned in the Security Rule, a covered entity or business associate’s HIPAA compliance program necessarily must include analyses relating to the potential for, and responses to, ransomware attacks. Risk management plans, risk analyses, and other security assessments should identify threats and vulnerabilities to electronic protected health information (PHI) and a company needs to implement procedures to guard against and detect malicious software, including ransomware.

Continue Reading HIPAA and Ransomware – A Primer

The Office of Civil Rights (OCR), a division of the Department of Health and Human Services, is the governmental agency responsible for investigating and providing technical assistance to covered entities and business associates on matters of HIPAA compliance.  When a deficiency is found in a covered entity or business associate’s compliance with the Security Rule or the Privacy Rule, OCR takes necessary action to remedy the deficiency, including imposing penalties or requiring the covered entity or business associate to enter into corrective action plans.

As of the end of January, 2017, OCR reported that the most common HIPAA compliance issues that are investigated are as follows:

  • Impermissible uses and disclosures of protected health information (PHI);
  • Lack of safeguards of PHI;
  • Lack of patient access to their own PHI;
  • Use and disclosure of more than the minimum necessary PHI; and
  • Lack of administrative safeguards of electronic PHI.

Additionally, the following covered entities are the most common with regards to taking corrective action in light of a compliance deficiency:

  • Private practices;
  • General hospitals;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans.

Complete Wellness, a Baltimore treatment center for patients with behavioral health and substance use disorders, was recently forced to post a Warning of Potential Privacy Violation relating to the loss of an unencrypted flash drive containing information of over 600 patients.  The employee who lost the flash drive had downloaded, without authorization, certain patient information including patient name, address, phone numbers, email address, birthdate, age, social security number, languages spoken, emergency contact, level of education, employer information, primary care physician, list of medications at admission, list of allergies, ethnicity, race, marital status, hurricane victim status, living situation, military service, arrest history, and hearing or vision difficulties.  Complete Wellness’ post fails to delineate a reason why the employee believed there was a need to put this extremely broad and detailed level of information for over 600 patients on a flash drive.

This incident is a good reminder for providers and other entities handling protected health information (PHI).  Strong policies and procedures, including disciplinary procedures, must be implemented to deter employees from making these types of mistakes.  IT systems, if possible and if reasonable, should not allow the downloading of PHI onto portable media without a certain level of authorization.  And, if it becomes necessary to place PHI on portable media, that portable media must be encrypted, logged/tracked, and it should only contain the absolute minimum amount of PHI necessary for the intended purpose.

Below is a link to the Complete Wellness notification:


Health care facilities, health plans, and business associates are increasingly turning to cloud service providers to store, maintain, and, at times, wholly manage, the covered entity or business associate’s electronic protected health information (ePHI).  As covered entities and business associates migrate their data to the cloud, these entities need to take a closer look at their obligations under the Privacy Rule and the Security Rule.

When a covered entity or business associate contracts with a cloud service provider, the cloud service provider is a business associate of the hiring party.  As a threshold matter, the covered entity or business associate needs to enter into a HIPAA-compliant business associate agreement with the cloud service provider.  This agreement, often used alongside or as an attachment to a larger, service-level agreement, establishes the permitted and required uses and disclosures of ePHI by the cloud service provider.

Continue Reading ePHI Migrates to the Cloud

House Bill 1040 is now headed to the South Dakota Governor’s desk.  The Bill, which passed the SD Senate on February 7, adds “community living home” to the definition of a regulated health care facility, bringing such facilities under the guise of South Dakota’s laws and regulations governing health care institutions under Title 34 of the South Dakota Code.

The Bill defines a “community living home” as any family-style residence whose owner or operator is engaged in the business of providing individualized and independent residential community living supports for compensation to at least one unrelated adult, but no more than four, and provides one or more regularly scheduled health related services, either administered directly or in collaboration with an outside health care provider.

If signed, the Bill will require operators of community living homes to apply for and receive a license prior to commencing operation.

On April 13, 2016, the South Dakota Supreme Court issued an important opinion in Berry Thomas Pitt-Hart, MD v. Sanford USD Medical Center.  The Pitt-Hart case involved a patient who had knee surgery at Sanford USD Medical Center (“Sanford”) on November 10, 2009.  The day after surgery, he alleged he was dropped and injured due to the negligence of a patient-care tech.  He commenced suit against Sanford on September 14, 2012.  Sanford argued that the claim was barred by SDCL 15-2-14.1’s two year limitations period.

The patient tried to circumvent the reach of SDCL 15-2-14.1 in three ways.  First, he argued that, since his claim was based upon the simple negligence of a tech, not the negligence of a health care practitioner like a surgeon negligently completing a procedure or a physician making the wrong diagnosis, the traditional, longer, three year negligence statute of limitations should apply.  The Court rejected this argument, reasoning that when a defendant like a hospital is named, SDCL 15-2-14.1 applies to all the alleged “errors” and “mistakes” committed in the healthcare setting.

Next, the patient argued that SDCL 15-2-14.1 should have been tolled based upon Sanford’s fraud and estoppel.  In prior case law, the South Dakota Supreme Court had gone back and forth in referring to SDCL 15-2-14.1 as a period of limitations on some occasions, and of repose on others.  Here, the Court took the opportunity to clarify and confirm that SDCL 15-2-14.1 is a statute of repose that cannot be delayed by estoppel, tolling, or fraudulent concealment.  Per SDCL 15-2-14.1, two years after a medical error or mistake occurs, liability “no longer exist[s].”

Lastly, the patient argued that SDCL 15-2-14.1 should be tolled based upon the continuing treatment doctrine.  The South Dakota Supreme Court also rejected this argument, clarifying that South Dakota does not recognize a continuing treatment doctrine, but only a continuing tort theory that could delay the start of the statute of repose “(1) [when] there was a continuous and unbroken course of negligent treatment; and, (2) [when] the treatment was so related as to constitute one continuing wrong.”

The full version of the Pitt-Hart opinion can be found here:

SDCL 15-2-14.1 can be found here:

Although we are well under way into the new year, health care providers, health care vendors, technology companies, and group health plans should all take additional time to consider and evaluate their health IT security and privacy program.  2017 promises to be a year filled with news of additional data breaches and compliance updates to the Security Rule.

If your company is evaluating or updating its security and privacy programs, a thorough risk analysis is the key starting point. Continue Reading Risk Analyses Remain of Crucial Importance to Health IT Programs

On Wednesday, February 1, the South Dakota House of Representatives defeated HB 1003, a bill that would have allowed licensed nursing facilities to transfer nursing bed capacity to another facility.  The Bill would have required the transferee to license the transferred or purchased beds within twenty-four (24) months of the transfer or sale.

While the Bill’s sponsor sought to add “a little bit of free enterprise” to the nursing facility industry in South Dakota, opponents of the Bill feared that the ability to freely transfer nursing bed capacity would disadvantage rural areas of South Dakota in favor of more populous areas where residents are more likely to be private-pay residents as opposed to Medicaid recipients.

Another 2017 Bill the Health Care Group is watching is Senate Bill No. 61.  The Bill makes numerous amendments to South Dakota’s statutory scheme governing nurse practitioners and midwives.

Of the more important changes, SB 61 would broaden the scope of advanced practice nursing and medical functions of nurse practitioner and nurse midwives.  Under SB 61, nurse practitioners and nurse midwives would be able to prescribe, procure, administer, and furnish pharmacological agents, including over the counter, legend, and Schedule II controlled drugs or substances for indefinite periods of time as opposed to the 30-day limit currently imposed.  Additionally, nurse practitioners would be allowed to conduct physical examinations for the determination of participation in employment duties and not just athletics.  Nurse midwives’ functions would add managing sexually transmitted infections in males.

Continue Reading 2017 South Dakota Legislative Session Update – Senate Bill 61 – Nurse Practitioners and Nurse Midwives

As a part of the 2017 legislative session, South Dakota lawmakers are considering a number of bills affecting the health care industry in the state.  Senate Bill 49 is one Bill the Health Care Group is monitoring that will affect the regulation of independent emergency health care providers in the State.  The Bill seeks to amend current South Dakota law to include a ‘free standing emergency medical care facility’ under the same definition of ‘health care facility’.  A freestanding emergency medical care facility is defined in the Bill as any facility structurally separate and distinct from a hospital that directly receives a person and provides emergency medical care.  By including these freestanding facilities within the general definition of ‘health care facility’, independent emergency departments are brought under the guise of South Dakota’s statutory and regulatory scheme governing hospitals and related institutions.  It is worth mentioning that the Bill exempts those freestanding facilities that are certified as a department of a hospital.

On January 25, the Bill passed the Senate by a vote of 34 to 1.  On January 26, the Bill was first read in the House and was referred to the Health and Human Services Committee.  Stay tuned as this Bill makes its way through the legislature.