Archives: Privacy and Security

Subscribe to Privacy and Security RSS Feed

OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic. …

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 …

Federal Government Significantly Expands Telehealth Reimbursement During COVID-19 Public Health Emergency

On March 17, the Trump Administration announced expanded reimbursement for clinicians providing telehealth services for Medicare beneficiaries during the COVID-19 Public Health Emergency. The Centers for Medicare and Medicaid Services (CMS) published an announcement, a fact sheet and Frequently Asked Questions.  To further facilitate telehealth services, the Office for Civil Rights (OCR) issued a notification describing certain technologies that would be permitted to be used for telehealth without being subject to penalties under the Health Insurance Portability and Accountability Act regulations (HIPAA). In addition, the Office of Inspector …

HHS Issues Section 1135 Waiver, and CMS Issues Blanket Waivers of Health Care Laws, in Response to Coronavirus (COVID-19) Emergency

Following the President’s proclamation on March 13 that the COVID-19 outbreak constitutes a national emergency, Secretary of the Department of Health and Human Services (HHS) Alex Azar issued a Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (full text available here) that waives or modifies certain health care laws and regulations in connection with the COVID-19 pandemic.  This “1135 Waiver” applies nationwide and took effect on March 15 at 6:00 p.m., but its applicability is retroactive to March 1, 2020.  The 1135 Waiver applies …

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.…

OIG Audit Finds that Majority of Part D Providers Surveyed Used E1 Transactions for Potentially Inappropriate Purposes

The Centers for Medicare and Medicaid Services (CMS) requested an audit by the Office of Inspector General (OIG) of Medicare Part D eligibility verification transactions (E1) transactions. The OIG recently released its report which found that the majority of the providers evaluated used E1 transactions for some inappropriate purpose other than to bill for a prescription or to determine drug coverage billing order.

What are E1 transactions and why is this information disturbing?…

Jackson Health System Fined by OCR

The Office for Civil Rights (OCR) announced on October 23, 2019 that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.

According …

HHS Proposes Changes to Permit Donation of Cybersecurity Technology

On October 17, 2019, the Department of Health and Human Services (HHS) published proposed rules to update the regulatory Anti-Kickback Statute (AKS) safe-harbors and exceptions to the Physician Self-Referral (PSR) Law, known commonly as the Stark Law (AKS proposed rule available here; PSR proposed rule available here). In an earlier blog post, we described each of the proposed rules. Among the proposed changes are a new safe harbor/exception that would generally permit entities to donate certain cybersecurity technology and related services to physicians, subject to compliance with …

Spurred by Opioid Crisis, Government Proposes Additional Changes to Substance Use Disorder Confidentiality Regulations to Facilitate Provision of Coordinated Care

On August 26, 2019, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published a notice of proposed rulemaking (NPRM) to “better align” its substance use disorder (SUD) confidentiality regulations at 42 C.F.R. Part 2 (Part 2) with the needs of providers and patients, and to “facilitate the provision of well-coordinated care” for individuals with SUD.…

Allscripts Announces $145 Million Preliminary Settlement with DOJ Related to an Investigation of Practice Fusion, a Recently Acquired EHR Company

In its second quarter Securities Exchange Commission (SEC) filing, Allscripts addressed its announced agreement in principle with the Department of Justice (DOJ) to resolve investigations into certain alleged practices of Practice Fusion, an electronic health records (EHR) vendor acquired by Allscripts in February 2018 for $100 million. Allscripts indicated the agreement is still subject to further negotiation and government approval, and would likely include additional non-monetary terms, including a deferred prosecution agreement, if a finalized settlement is reached.…

SHIELD Act Becomes Law, Expanding Breach Notification and Data Security Requirements

On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The SHIELD Act modifies the current Breach Notification Law to expand the types of data elements that are considered “private information” and to expand the data breach disclosure requirements for individuals and businesses. Moreover, the law creates a requirement that owners or licensors of private information meet a new “reasonable security requirement.”…

CMS Announces Pilot Program for Clinicians to View Claims Data of Medicare Beneficiaries

On July 30, 2019, the Centers for Medicare & Medicaid Services (CMS) announced “Data at the Point of Care” (DPC), a pilot program that will provide clinicians with access to claims data. The pilot program follows on the heels of the recently proposed Interoperability and Patient Access Proposed Rule, which would require regulated health plans to make patient data available through an application programming interface (API). These actions are also part of the MyHealthEData initiative spearheaded by the White House Office of American Innovation.…

Health Care Organizations Have Highest Costs for Data Breaches

As readers of this blog know, data breaches in the health care industry are all too common. Health care organizations are an attractive target for hackers because of the nature and amount of personal information that they possess.

Therefore, it is perhaps not surprising that healthcare organizations have the highest costs associated with data breaches. They also have significantly higher costs as compared to other industries.

According to the 2019 Cost of a Data Breach Report recently released by the Ponemon Institute and IBM Security, which was based on in-depth …

OIG Issues Alert to Warn of ‘Free’ Genetic Testing Scams Seeking to Steal Information

On June 3, 2019, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a fraud alert to notify consumers about genetic testing fraud schemes (the Alert). According to the OIG, fraudulent actors are using the provision of free genetic testing kits to obtain Medicare information from unwitting consumers, and then using the stolen information for purposes of fraudulent billing and/or identity theft.…

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued …

OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s transition to value-based care models.

In the RFI, OCR requests input on whether and how the HIPAA regulations (i) can be modified to remove regulatory obstacles and burdens to efficient care coordination and …

Laws Affecting Health Care Entities in Connecticut Take Effect October 1, 2018

On October 1, 2018, a number of new laws affecting health care entities in Connecticut became effective. Below please find a brief description of some of the newly-effective provisions, as well as links to our analyses of the changes.…

Connecticut Expands Consumer Protections Against Identity Theft and Data Breaches

On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90).  This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit reporting agencies from charging fees for consumers to place or remove security freezes. This law takes effect on October 1, 2018.…

Connecticut Legislature Operationalizes New Health Oversight Agency: The Office of Health Strategy

On May 14, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-91 “An Act Concerning the Office of Health Strategy” (PA 18-91), a bill that operationalizes the Office of Health Strategy (OHS), a new health oversight agency in Connecticut. OHS is a division of the Department of Public Health (DPH) “for administrative purposes only” that was provisionally established by the Connecticut General Assembly within the budget implementer bill passed in a special session in late 2017 and accorded responsibility for developing and implementing a …

DOJ Announces Criminal Conviction of Physician for HIPAA Violation

On April 30, 2018 a Massachusetts physician was convicted of a criminal violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as one count of obstruction of a criminal health care investigation, in a Massachusetts federal court. The convictions relate to the purported sharing of confidential patient information by the physician with pharmaceutical sales representatives that allowed the pharmaceutical company to target patients with specific conditions (and to correspondingly facilitate the receipt of prior authorizations for the company’s drugs from patients’ insurers).…

Government and Microsoft In Agreement that Pending Case Mooted by CLOUD Act

On March 30, 2018, Solicitor General Noel J. Francisco filed a motion with the U.S. Supreme Court in United States v. Microsoft Corporation that seeks to vacate the judgment of the U.S. Court of Appeals for the Second Circuit in the case (which held in favor of Microsoft) and to remand the case with directions to dismiss it as moot. The motion was submitted in response to the passage of the CLOUD Act on March 23, 2018, and the Solicitor General’s subsequent letter to the Court on that same date …

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by adding a new § 2713 which states as follows:…

LexBlog