Below is an excerpt of an article co-authored with Robinson+Cole Construction Law Group lawyer Virginia K. Trunkes and published in Healthcare Facilities Today on March 31, 2021. 

The need to update and implement new processes for delivering healthcare in response to the COVID-19 pandemic has resulted in the adoption of more automation, remote access and monitoring technologies. It also has brought data analytics into treatment and the patient environment. Healthcare providers have shifted from traditional waiting rooms and in-person visits for routine needs to remote check-ins, check-ups and updates via personal health record applications.

Providers increasingly rely on smart grid technologies, cloud computing, medical devices and health monitors connected via the internet of things (IoT), bio-sensing wearables, touchless technology, telehealth, online scheduling applications, electronic health records, virtual and remote triages, AI-based predictive analytics and machine learning, and most recently, interactive floor-plan images used by regulatory inspectors.

These technologies and care-delivery approaches depend on seamless connected systems and instant access to data that create a recipe for cybervulnerability. Decades of HIPAA and extensive penalties for non-compliance ensure that healthcare organizations are cognizant of obligations to maintain the privacy of their patients’ personally identifiable information. Read the full article.

On March 14, 2021, Connecticut Governor Lamont issued Executive Order 10C (EO 10C), which extends provisions of Public Act 20-2 (PA 20-2), a law passed by the Connecticut legislature in July 2020 that “provided additional flexibility for the delivery of telehealth services and insurance coverage of these services” but was scheduled to expire March 15, 2021. As a result of EO 10C, the provisions of PA 20-2 that were scheduled to expire on March 15 will remain in effect through April 20, 2021, in part to give the state legislature more time to “address the ongoing need for” expanded access to telehealth services. Continue Reading Connecticut Extends Expansion of Access to Telehealth Services

On January 28, 2021, the Department of Health and Human Services (HHS) issued a Fifth Amendment to HHS’s Declaration under the Public Health Readiness and Emergency Preparedness Act (PREP Act) that provides liability immunity to certain individuals and entities arising from the manufacturing, distribution, administration or use of medical countermeasures (e.g., therapeutics and vaccines) against COVID-19. Continue Reading COVID-19 Vaccine Update: HHS Expands Pool of Eligible Vaccinators under PREP Act

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals. Continue Reading Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).

Continue Reading Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital

The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency.  The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities. Continue Reading OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which is one of several rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI). According to HHS, the proposed changes are intended to support individuals’ engagement in their health care, remove barriers to coordinated care and case management, and reduce regulatory burdens on the health care industry, while continuing to protect the privacy and security of individuals’ PHI. Continue Reading HHS Proposes Modifications to the HIPAA Privacy Rule to Enhance Care Coordination and Management and Remove Barriers to Accessing Information

On December 7, 2020, Connecticut Governor Ned Lamont signed Executive Order No. 9Q (the “Order”) in anticipation of the approval of COVID-19 vaccines. The Order addresses and expands COVID-19 vaccine administration, establishes flu vaccine reporting requirements for pharmacists, and limits out-of-network charges for administration of authorized COVID-19 vaccines. Specifically, the Order: Continue Reading In Anticipation of COVID-19 Vaccine Approval, Connecticut Governor Ned Lamont Issues Executive Order To Facilitate Vaccine Administration and Reporting

On November 30 and December 2, 2020, the Department of Health and Human Services Office of Inspector General (OIG) published two final rules (available here: November 30 Final Rule and December 2 Final Rule) which modify the safe harbor regulations to the federal Anti-Kickback Statute (AKS) and codify a new exception to the Civil Monetary Penalty (CMP) Rules related to beneficiary inducements. Most of the changes are effective January 19, 2021.

Together with the new physician self-referral law (also known as Stark) regulations published by the Centers for Medicare & Medicaid Services on December 2, 2020, these updates represent long-awaited changes to the federal fraud and abuse laws, and are part of the federal administration’s Regulatory Sprint to Coordinated Care (see our analysis of that final rule here).

Click here for our full article, which includes a detailed summary of the final rules.

On November 20, 2020, the Centers for Medicare and Medicaid Services (CMS) published its long-awaited and highly anticipated final rule updating regulations promulgated under the Physician Self-Referral or “Stark” law (the OIG simultaneously published updates to the Anti-Kickback Statute regulations). Among other things, CMS introduced new Stark exceptions for certain “value-based arrangements,” the donation of cybersecurity technology and services and limited remuneration to physicians; introduced new definitions and updated key terms, including “commercial reasonableness,” the “volume and value” standard and “fair market value”; and updated several existing exceptions, including the exception for the donation of electronic health record items and services. The changes to the Stark law regulations become effective January 19, 2021, except for the changes concerning profit shares and productivity bonuses for group practices, which go into effect January 1, 2022.

Click here for our full article, which includes a detailed summary of the final rule.