Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over  allegations that it failed to provide timely access to a patient’s health records. The OCR alleged that DELC waited more than two years to send a minor’s medical records to their parent, and the records were sent only after the OCR opened an investigation in response to the parent’s complaint. This alleged failure to provide timely access was a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care providers to respond to a patient’s request for access to health records within 30 days.

This is the 19th settlement for alleged right-of-access violations.

In addition to the $5,000 payment, DELC has agreed to implement a corrective action plan and submit to two years of monitoring.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The Office for Civil Rights (OCR) last week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.

The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR. Continue Reading OCR Announces Settlement with Clinical Lab for Alleged HIPAA Violations

Below is an excerpt of an article by Robinson+Cole Construction Law Group lawyer Virginia K. Trunkes  published in Construction Executive on May 11, 2021.

The COVID-19 pandemic has created opportunities for retrofitting new, flexible layouts in existing health care facilities and in existing commercial premises (e.g., office, retail and restaurant) where there is new community demand for an urgent care or drive-thru clinic.

Health care providers altering their design and construction desire to move quickly. They are understandably anxious to accommodate existing and new patients in this “new normal” of unpredictable demand surges, implementing flexible, varying circulation and workflow configurations.

However, the need to ensure an opportunity for planning and reflection is particularly important for a heavily regulated project such as health care construction. Not only must the design and construction meet the requirements of the local buildings department, but additional life safety and other patient-centered protective features must comply with federal regulations and referenced guidelines, as well as additional, state-mandated regulations. Read the article.

On May 10, 2021, Connecticut Governor Ned Lamont signed into law “An Act Concerning Telehealth” (the “Act”). The Act extends, until June 30, 2023, many of the COVID-19 related telehealth expansions issued by Governor Lamont through executive orders. A press release from the Governor’s Office expressed the Act’s purpose to extend the duration of the expansion of telehealth services permitted by Executive Order 7G (for our previous analysis of Executive Order 7G, see here). Among other things, the Act:

  • Expands the types of providers that can provide telehealth services to include: physicians, physicians assistants, physical therapists, chiropractors, clinical social workers, registered and advanced practice nurses, and others;
  • Until June 30, 2023, permits telehealth to be provided through audio-only technology and through store-and-forward technology;
  • Permits out of state licensed providers to provide telehealth services in Connecticut as long as they are providing such services pursuant to a relevant order issued by the Connecticut Commissioner of Public Health and maintain proper professional malpractice insurance;
  • Outlines the scope of permitted telehealth prescribing practices to permit prescribing schedule II and III non-opioid controlled substances for the treatment of a person with a psychiatric disability or substance use disorder;
  • Prohibits facility fees associated with telehealth services;
  • Allows providers to provide telehealth services from any location; and
  • Requires providers to accept as payment in full for telehealth services: (a) An amount equal to the Medicare reimbursement for such services if the provider determines the patient does not have health coverage for such services; or (b) The amount the patient’s health coverage reimburses, and any coinsurance, copayment, deductible or other out-of-pocket expense imposed by the patient’s health coverage, for such services if the provider determines the patient has health coverage for such services.

Connecticut’s Legislature has taken an interesting step in passing legislation that extends a COVID-19 related emergency order beyond the Governor’s emergency declaration. As states continue to ease restrictions and governors’ emergency powers end, it will be interesting to observe what emergency orders states’ legislatures extend or even make permanent. The Act is effective upon passage and lasts until June 30, 2023.

Below is an excerpt of an article co-authored with Robinson+Cole Construction Law Group lawyer Virginia K. Trunkes and published in Healthcare Facilities Today on March 31, 2021. 

The need to update and implement new processes for delivering healthcare in response to the COVID-19 pandemic has resulted in the adoption of more automation, remote access and monitoring technologies. It also has brought data analytics into treatment and the patient environment. Healthcare providers have shifted from traditional waiting rooms and in-person visits for routine needs to remote check-ins, check-ups and updates via personal health record applications.

Providers increasingly rely on smart grid technologies, cloud computing, medical devices and health monitors connected via the internet of things (IoT), bio-sensing wearables, touchless technology, telehealth, online scheduling applications, electronic health records, virtual and remote triages, AI-based predictive analytics and machine learning, and most recently, interactive floor-plan images used by regulatory inspectors.

These technologies and care-delivery approaches depend on seamless connected systems and instant access to data that create a recipe for cybervulnerability. Decades of HIPAA and extensive penalties for non-compliance ensure that healthcare organizations are cognizant of obligations to maintain the privacy of their patients’ personally identifiable information. Read the full article.

This post is also being shared on our Construction Law Zone blog. If you’re interested in getting updates on current developments and recent trends in all areas of construction law, we invite you to subscribe to the blog.

On March 14, 2021, Connecticut Governor Lamont issued Executive Order 10C (EO 10C), which extends provisions of Public Act 20-2 (PA 20-2), a law passed by the Connecticut legislature in July 2020 that “provided additional flexibility for the delivery of telehealth services and insurance coverage of these services” but was scheduled to expire March 15, 2021. As a result of EO 10C, the provisions of PA 20-2 that were scheduled to expire on March 15 will remain in effect through April 20, 2021, in part to give the state legislature more time to “address the ongoing need for” expanded access to telehealth services. Continue Reading Connecticut Extends Expansion of Access to Telehealth Services

On January 28, 2021, the Department of Health and Human Services (HHS) issued a Fifth Amendment to HHS’s Declaration under the Public Health Readiness and Emergency Preparedness Act (PREP Act) that provides liability immunity to certain individuals and entities arising from the manufacturing, distribution, administration or use of medical countermeasures (e.g., therapeutics and vaccines) against COVID-19. Continue Reading COVID-19 Vaccine Update: HHS Expands Pool of Eligible Vaccinators under PREP Act

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals. Continue Reading Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).

Continue Reading Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital

The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency.  The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities. Continue Reading OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps