Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

HIPAA Compliance Update

Blog Post

HIPAA compliance has been a part of the regulatory landscape of healthcare since the privacy rules became effective in 2003. Since that time, most providers have taken steps to develop their compliance plans, including distributing notices of privacy practices, obtaining authorizations for release of information as needed, and obtaining business associate agreements from third parties. Since the initial rules went into effect, providers needed to update and revise their policies, notices and other forms, to accommodate the changes included in the HITECH amendments and the related changes in the securities standards.


The Federal Office of Civil Rights is assigned the primary enforcement responsibility for enforcing HIPAA violations. As of September 30, 2015, the HHS reports that it had received over 120,000 complaints of which 90% have been resolved. HHS also reports that it had collected over $22.8 million dollars in fines and sanctions from those violations. While not statistically reported in the September 30th summary, there have been over a dozen criminal prosecutions for various HIPAA violations.

Because the statute and regulations have been in effect for over a decade, some practices may not pay as much attention to HIPAA compliance as they should.

Change in Enforcement Emphasis.

In the early years of HIPAA, the position of the government was that it would work with practices with the goal of achieving compliance rather than focus on more punitive measures or sanctions.  That approach started to change with the adoption of the HITECH amendments where the size of penalties increased dramatically.  Currently, the statute provides that a HIPAA sanction for the lowest tiered violation is $100 per violation with a maximum of $25,000.  A second tiered violation has a minimum sanction of $1,000 with a maximum of $100,000.  The third tier has a minimum sanction of $10,000 with a maximum sanction of $250,000, and a maximum sanction of $50,000 per violation, with a maximum of $1,500,000 in addition to other penalties which may include mandatory compliance plans and criminal penalties.

As part of its 2015 action plan, HHS has reported that it intends to increase the level of HIPAA enforcement.  Most importantly, HHS reports that rather than simply responding to complaints, HHS will take a more aggressive position in conducting HIPAA audits of providers, whether or not a specific complaint has been asserted against that provider.  As in other settings where the government has announced a plan for health care related audits, we anticipate that larger providers will initially be targeting for HIPAA audits, but there will also be random audits of all types of health providers.  If HHS were to detect a pattern of violations in a particular practice area, we would anticipate a more aggressive audit strategy to follow.

Other Enforcement Authority.

Under the HITECH amendments, in addition to enforcement actions by the federal government, the statute specifically authorizes that the Attorney General of each state has the statutory authority to pursue civil actions for violations of the statute.  We expect this to increase particularly where public reports of breaches occur.  The states can recover penalties to be paid to the state and may include funds for patients.

Direct Patient Claims.

Occasionally, a patient will assert that they have a HIPAA claim and threaten to sue a provider for a claimed HIPAA violation.  A patient is not permitted to file a lawsuit directly against a provider for a HIPAA violation.  Because the statute specifically provides that enforcement authority for HIPAA is assigned to the federal government (or the state’s Attorney General), and because the statute does not specifically authorize a patient to file a direct complaint, the law provides that the patient does not have a “private cause of action” for which a patient can file a suit directly against the provider.  A patient may file a complaint with the Office of Civil Rights and it is up to the OCR to pursue the claim if at all.  Most times, a patient complaint will lead to the OCR sending a copy of the complaint to the provider and request the provider submit copies of its compliance manual documents and provide its account of the events.

Common Law Claims.

In 1999, the Ohio Supreme Court recognized an independent claim for the “unauthorized, unprivileged disclosure to a third party of non-public medical information.”  This case was decided prior to the publication of the privacy rule regulations and before the effective date of those regulations.  The courts have concluded that the Biddle doctrine remains effective and is not pre-empted by the HIPAA regulations.  In short, a patient could assert a claim under the Biddle theory, which might be similar to HIPAA, but cannot use a violation of the HIPAA rules as the basis for a finding of liability under Biddle.

That statement might seem confusing and in fact it is. In the recent case of Sheldon v. Kettering Health Network, the Court of Appeals was faced with a HIPAA-like claim against a hospital system. An administrator at the hospital had improperly accessed electronic health records of his former spouse and had shared that information with another employee whom he was dating at the time. Upon discovery of the disclosure, the former spouse sued her ex-husband and the hospital. The patient later dismissed the claim against her ex-husband and pursued the claim exclusively against the hospital. The Court of Appeals held that the hospital could not be held liable for the actions of their employee under the Biddle theory because the employee’s conduct was not in furtherance of the business of the hospital. If the hospital employee had obtained the information at the direction of the hospital and was directed to share it with others, the hospital could potentially be responsible, but in this case, the court concluded that because the employee was acting outside the scope of his job responsibility, that his employer could not be held responsible for that breach under the Ohio common law theory.

The Sheldon decision is important for health care providers. From time to time, hospitals and practices have employees who access information for their own purposes or out of curiosity and the Sheldon case provides an additional level of protection of those employers from civil liability.

HIPAA Compliance Action Steps.

Even though HIPAA does not provide a private cause of action directly against providers by patients, and the Sheldon case provides additional protection for employers, practices still should focus on some steps to protect themselves against future claims or even government enforcement activities.

  1. Dust-Off the Compliance Manual. Many practices may have created their manual in 2003 and have failed to update or review the manual in the past decade.  At a minimum, the manual should have been updated to include the HITECH changes in 2009. Make sure you continue to pass out the Notice of Privacy Practices.
  2. Update your Forms. The Notice of Privacy Practices, Authorization and Business Associate Agreements all needed to be updated under the HITECH amendments.  You should verify that you have a current form Business Associate Agreement in effect with all third parties as needed. A 2003 version BAA will not likely be compliant.  Remember it is the obligation of the provider to obtain signed authorizations and BAAs as opposed to the party requesting information providing those to you.
  3. Staff Training. HIPAA training should be a regular part of new employee orientation, and regular in-service training to make sure that your staff is complying with the Privacy and Security Rules, and with the passage of time, have not gotten lax in their diligence to protect patient information. Professionals need to set the example by following the rules.
  4. Investigations of Potential Breach. Under HITECH, any claimed breach requires the provider to conduct an investigation. The investigation may result in a finding of no breach, but if so, the practice should still maintain records of the review and conclusion on those issues. Sometimes, the result is a decision that some re-education of employees is appropriate, or other times more serious steps may need to be taken, including self-disclosure to the government.

While most practices are extremely conscientious in protecting confidentiality of patients’ records, in today’s time of a hectic pace of most practices, errors may occur if your staff does not continue to be vigilant in their compliance. Early efforts to do so will prevent the practice having significant problems down the road.

If you would like copies of the Biddle or Sheldon decisions or have any questions regarding HIPAA compliance, please contact Scott P. Sandrock at (330) 253-4367.

Invitation to Banks & Family Office/Ultra-high Net Worth Investors Exploring Cannabis Lending to Join Our Informal Institutional Cannabis Lenders Community

An update on the latest developments in the cannabis banking/lending space by subject matter expert, BMD Scottsdale/Phoenix Office Managing Partner Stephen Lenn

Community Banks: Collaboration, not isolation, is the key to protecting/ enhancing the cannabis business you pioneered

As we prepare for the plenary session of the informal institutional cannabis lenders community announced in my previous article, I am pleased to advise that participants now include 5 of the best-known dedicated loan funds; a select group of commercial banks ranging in size from single state community banks to mid-size regionals making cannabis loans into the mid-8 figures; and, a syndicator of credit union cannabis loans.

Non-compete Agreements are Under Fire: What Employers Need to Know

Non-compete agreements are an ongoing topic of dispute. Employers and their advocates point to the efficacy of non-competes in protecting proprietary information. Employees and their advocates argue about worker mobility and that employers unduly burden workers’ ability to seek better jobs. The Biden administration has put forth its position, and state legislatures have introduced bills addressing the enforceability of non-competes. Here is what you need to know:

BMD’s Jason Butterworth Quietly Engineers Some of Akron’s Most Impactful Projects

Jason Butterworth, a team member of BMD’s Business & Corporate practice, focuses his practice on finance, real estate, and tax credit law.

Explosive Growth in Pot of Gold Opportunity for Bank (and Other) Cannabis Lenders Driving Erosion of the Barriers

Our original article on bank lending to the cannabis industry anticipated that the convergence of interest between banks and the cannabis industry would draw more and larger banks to the industry. Banks were awash in liquidity with limited deployment options, while bankable cannabis businesses had rapidly growing needs for more and lower cost credit. Since then, the pot of gold opportunity for banks to lend into the cannabis industry has grown exponentially due to a combination of market constraints on equity causing a dramatic shift to debt and the ever-increasing capital needs of one of the country’s fastest growing industries. At the same time, hurdles to entry of new banks are being systematically cleared as the yellow brick road to the cannabis industry’s access to the financial markets is being paved, brick by brick, by the progressively increasing number and size of banks that are now entering the market.