Health Information Exchanges and Electronic Medical Records (EMRs)

On November 28, 2022, the Department of Health and Human Services (HHS) issued a proposed rule to modify the confidentiality protections of Substance Use Disorder (SUD) patient treatment records under 42 CFR Part 2 (Part 2) to implement statutory amendments passed under Section 3221 of the Coronavirus Aid, Relief, and Economics Security (CARES) Act (42 U.S.C. 290dd-2). Comments are being accepted for 60 days from publication.

Continue Reading HHS Proposes Rule to Align Part 2 Records and HIPAA

Health care providers subject to the Information Blocking rules issued under the 21st Century Cures Act, Pub.L. 114–255, are reminded that such Information Blocking rules will apply to an expanded set of information beginning on October 6, 2022. The Information Blocking rules currently apply only to a limited portion of electronic health information (EHI) represented by the specific data elements identified in the United States Core Data for Interoperability version 1 standard (commonly referred to as USCDIv1). Effective October 6, 2022, the Information Blocking rules will apply to all EHI, which is defined as all electronic protected health information (as defined by HIPAA) to the extent that such electronic protected health information is included in a designated record set (also as defined by HIPAA), and excluding psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding.

Continue Reading REMINDER: October 6 Deadline for Information Blocking Rules Approaches

On February 28, 2022, the Office of the National Coordinator for Health Information Technology (ONC) issued data on information blocking claims received since April 5, 2021, the effective date of information blocking regulations enacted under the 21st Century Cures Act (Cures Act). As a reminder, in accordance with the Cures Act’s prohibition on certain information blocking practices, in 2020 ONC issued a pair of rules (available here and here) to implement information blocking regulations (now found at 45 CFR Part 171).  Due to COVID-related delays, ONC ultimately set a compliance date for such regulations of April 5, 2021. ONC is now sharing preliminary data on the information blocking claims received for the first time.
Continue Reading ONC Information Blocking Data Show Majority of Claims Against Health Care Providers

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021.
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging,

On November 30 and December 2, 2020, the Department of Health and Human Services Office of Inspector General (OIG) published two final rules (available here: November 30 Final Rule and December 2 Final Rule) which modify the safe harbor regulations to the federal Anti-Kickback Statute (AKS) and codify a new exception to the Civil

On November 20, 2020, the Centers for Medicare and Medicaid Services (CMS) published its long-awaited and highly anticipated final rule updating regulations promulgated under the Physician Self-Referral or “Stark” law (the OIG simultaneously published updates to the Anti-Kickback Statute regulations). Among other things, CMS introduced new Stark exceptions for certain “value-based arrangements,” the donation

On November 20, 2020, the Department of Health & Human Services (HHS) released heavily anticipated final rules revising the regulatory exceptions to the Physician Self-Referral Law (also known as the Stark Law), the Anti-Kickback Statute (AKS) safe harbors, and the Beneficiary Inducements Civil Monetary Penalties (CMP) regulations.  The changes to the regulations go into effect on January 19, 2021 (except for one change to the Physician Self-Referral Law that becomes effective January 1, 2022). In a separate rule also released November 20th, HHS removed safe harbor protection for rebates involving prescription pharmaceuticals and created a new safe harbor for certain point-of-sale reductions in price on prescription pharmaceuticals and pharmacy benefit manager service fees.

The full text of each rule is available below.


Continue Reading Physician Self-Referral Law (Stark), Anti-Kickback Statute, and Beneficiary Inducement CMPs – HHS Releases Final Rules

On May 11, 2020, the Centers for Medicare and Medicaid Services (CMS) released a proposed rule to update Medicare payment policies for hospitals under the Inpatient Prospective Payment System (IPPS) and the Long-Term Care Hospital (LTCH) Prospective Payment System (PPS) for FY 2021 (the “Rule”).  IPPS and LTCH PPS proposed rules are released on a fiscal year cycle to define payment and policies for inpatient hospitals, long-term care hospitals, inpatient rehabilitation facilities, inpatient psychiatric facilities, skilled nursing facilities, and hospices. CMS also released a fact sheet highlighting certain major provisions in the Rule.
Continue Reading CMS Proposes IPPS and LTCH PPS Payment and Policy Changes for FY 2021

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic.
Continue Reading OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines