Health-law symposium addresses changing landscape

DeWITT  —  Regulations governing the privacy and security of health information are in line for changes, attendees of a recent seminar heard.

The Syracuse–based law firm Hancock Estabrook, LLP held a health-law symposium Jan. 10 at the DoubleTree by Hilton Hotel at 6301 State Route 298 in DeWitt. The symposium attracted 46 attendees who listened to its six speakers.

One of those speakers, Hancock Estabrook partner Laurel Baum, presented an update on the Health Insurance Portability and Accountability Act (HIPAA). She spoke as the federal government was expected to soon finalize a set of regulations known as the HIPAA Omnibus Rule.

“The Omnibus Rule contains information on privacy regulations, security regulations, enforcement changes, the breach notification which we’ve been kind of going with interim guidelines, and then also genetic information,” Baum said. “Hold on to your seats.”

The final rule will likely change the way that firms contracting with health-care organizations’ business associates are viewed, Baum said. They will probably be considered business associates as well, raising liability issues.

“If I’m a business associate of a health-care entity, and let’s say I contract with a coding expert to help with an audit, that coding expert is also going to now be a business associate,” she said. “Who’s going to now have liability directly under the law?”

Baum also discussed a pilot program for auditing organizations’ HIPAA compliance. The program, which ran from November 2011 to December 2012, saw the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) conduct 115 audits.

Under the pilot program, OCR did not need to have received a complaint in order to audit an organization’s compliance with the privacy law, according to Baum.

“They found a lot of errors, a lot of room for improvement,” she said. “Now that the pilot program is done, you’re probably going to see the audits start up again at the end of this year.”

Most HIPAA breaches seem to come from theft, not employees inappropriately posting information, she continued. That makes mobile devices particularly concerning, Baum added.

On the subject of HIPAA breaches, Baum talked about a recent settlement between HHS and Hospice of Northern Idaho, which she described as a “small provider.” That group agreed to pay HHS $50,000 for violations of the HIPAA Security Rule, which sets standards for electronic health information.

“It was a laptop that was stolen,” Baum says. “There was no encryption. There was really no risk assessment done prior to this happening. There was no policy in place.

“I think what this signifies is a shift from looking only at the large breaches. This one, I think, should really drive home a point that we have to do something,” she continues.

Baum stressed large and small organizations need to work for HIPAA compliance, because mistakes happen.

“They are going to be a lot worse for your organization, though, if you don’t have really meaningful risk-assessment policies documented,” she said. “Teach your staff.”

The symposium also included a presentation by Rob Hack, executive director of HealtheConnections RHIO, Central New York’s Regional Health Information Organization. Karen Romano, director of provider-engagement services for HealtheConnections, spoke as well.

Also speaking were Hancock Estabrook partners Catherine Diviney and Marguerite Massett. Diviney discussed Accountable Care Organization laws, while Massett addressed activities at New York’s Office of the Medicaid Inspector General. And, Frances Ciardullo — an attorney at New York City–based Fager & Amsler, LLP, which has a Central New York office — gave a talk titled “Understanding Subpoenas.”

Contact Seltzer at rseltzer@cnybj.com