Health Information Exchanges and Electronic Medical Records (EMRs)

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021.
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging,

On November 30 and December 2, 2020, the Department of Health and Human Services Office of Inspector General (OIG) published two final rules (available here: November 30 Final Rule and December 2 Final Rule) which modify the safe harbor regulations to the federal Anti-Kickback Statute (AKS) and codify a new exception to the Civil

On November 20, 2020, the Centers for Medicare and Medicaid Services (CMS) published its long-awaited and highly anticipated final rule updating regulations promulgated under the Physician Self-Referral or “Stark” law (the OIG simultaneously published updates to the Anti-Kickback Statute regulations). Among other things, CMS introduced new Stark exceptions for certain “value-based arrangements,” the donation

On November 20, 2020, the Department of Health & Human Services (HHS) released heavily anticipated final rules revising the regulatory exceptions to the Physician Self-Referral Law (also known as the Stark Law), the Anti-Kickback Statute (AKS) safe harbors, and the Beneficiary Inducements Civil Monetary Penalties (CMP) regulations.  The changes to the regulations go into effect on January 19, 2021 (except for one change to the Physician Self-Referral Law that becomes effective January 1, 2022). In a separate rule also released November 20th, HHS removed safe harbor protection for rebates involving prescription pharmaceuticals and created a new safe harbor for certain point-of-sale reductions in price on prescription pharmaceuticals and pharmacy benefit manager service fees.

The full text of each rule is available below.


Continue Reading Physician Self-Referral Law (Stark), Anti-Kickback Statute, and Beneficiary Inducement CMPs – HHS Releases Final Rules

On May 11, 2020, the Centers for Medicare and Medicaid Services (CMS) released a proposed rule to update Medicare payment policies for hospitals under the Inpatient Prospective Payment System (IPPS) and the Long-Term Care Hospital (LTCH) Prospective Payment System (PPS) for FY 2021 (the “Rule”).  IPPS and LTCH PPS proposed rules are released on a fiscal year cycle to define payment and policies for inpatient hospitals, long-term care hospitals, inpatient rehabilitation facilities, inpatient psychiatric facilities, skilled nursing facilities, and hospices. CMS also released a fact sheet highlighting certain major provisions in the Rule.
Continue Reading CMS Proposes IPPS and LTCH PPS Payment and Policy Changes for FY 2021

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic.
Continue Reading OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 pandemic.  HHS has emphasized, however, that the Notification does not allow the use of public-facing communications products, such as Facebook live or other livestreaming applications.
Continue Reading COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 9, 2020, the Department of Health and Human Services (HHS) announced final rules seeking to give patients more access to, and control of, their health data. The final rules were issued by the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare and Medicaid Services (CMS). The ONC rule is available here and the CMS rule here. Both rules implement interoperability and patient access provisions from the 21st Century Cures Act and the Trump administration’s MyHealthEData initiative.
Continue Reading HHS Finalizes Joint Rules on Electronic Health Record Interoperability and Access

On January 27, 2020, the Department of Justice (DOJ) announced a $145 million settlement with Practice Fusion Inc., an electronic health records (EHR) software company that resolves parallel criminal and civil investigations involving allegations of kickbacks, false claims, and non-compliance with federal EHR program requirements. We previously discussed a preliminary settlement in this case here, and in announcing the finalizing of that settlement the DOJ has shed more light on the allegedly improper conduct at issue. According to the DOJ, this is the first criminal action ever brought against an EHR company, and the “unique” deferred prosecution agreement (DPA) imposed by the DOJ against Practice Fusion that seeks “to ensure acceptance of responsibility and transparency as to” underlying conduct may reflect a new approach to settlements with corporate health care defendants.
Continue Reading DOJ Announces Settlement with EHR Company to Resolve Criminal and Civil Kickback Investigations Tied to Opioid Prescribing