Archives: Privacy and Security

Subscribe to Privacy and Security RSS Feed

HHS Issues Guidance for Providers on Soliciting COVID-19 Blood and Plasma Donations

On June 12, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued timely HIPAA guidance (Guidance) regarding solicitations of blood and plasma donations from recovered COVID-19 patients.

In the Guidance, OCR affirms that health care providers can use patient information to identify patients that have recovered from COVID-19 to provide information about how they may donate plasma or blood with COVID-19 antibodies to support treatment of other patients with COVID-19. OCR explains that this use of protected health information would be permissible as …

OCR Issues Guidance About Media Access to Health Care Facilities

These days, news stations are frequently running stories concerning people being treated for COVID-19, the providers working tirelessly to care for them, and politicians visiting health care facilities for a first-hand look at the crisis. In response to the media interest, the Office for Civil Rights (OCR) issued guidance on May 5, 2020 to healthcare providers answering the question “Does the COVID-19 Public Health Emergency alter the HIPAA Privacy Rule’s restrictions on disclosures of protected health information to the media?” The guidance reminds them “that the HIPAA Privacy Rule does …

Connecticut Governor Expands Health Care Workforce, Access to Telehealth Services and Issues Other Important Health Care Updates in New Executive Orders

Connecticut Governor Ned Lamont recently issued four new executive orders to address the COVID-19 state of emergency (Executive Orders 7CC – 7FF) that contain provisions relevant to health care providers and facilities in the state.  Among other things, the Executive Orders (i) expand access to telehealth services, (ii) expand the available health care workforce, (iii) increase current reporting requirements for long-term care facilities, (iv) allow the Commissioner of the Department of Social Services (DSS) to scale back certain Medicaid program requirements, and (v) update requirements related to out-of-network emergency billing.  …

HHS Waives HIPAA Penalties for Operation of a Community-Based COVID-19 Testing Site

On April 9, 2020 the Department of Health & Human Services Office for Civil Rights (OCR) issued another Notification that it will exercise its enforcement discretion and not impose penalties for HIPAA violations in connection with good faith participation in the operation of COVID-19 testing sites during the COVID-19 emergency.…

CARES Act Provides Vital Financial Support for Health Care Providers on COVID-19 Front Lines

On March 27, Congress enacted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act, or the Act), Public Law 116-136, a trillion-dollar stimulus bill intended to provide financial assistance to individuals and business affected by the COVID-19 pandemic.  The Act contains a broad range of measures intended to bolster the economy in the midst of the COVID-19 pandemic.  Unsurprisingly, a central focus of the Act is the provision of relief and support for hospitals and health care providers on the front lines of the COVID-19 pandemic.  This article …

OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic. …

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 …

Federal Government Significantly Expands Telehealth Reimbursement During COVID-19 Public Health Emergency

On March 17, the Trump Administration announced expanded reimbursement for clinicians providing telehealth services for Medicare beneficiaries during the COVID-19 Public Health Emergency. The Centers for Medicare and Medicaid Services (CMS) published an announcement, a fact sheet and Frequently Asked Questions.  To further facilitate telehealth services, the Office for Civil Rights (OCR) issued a notification describing certain technologies that would be permitted to be used for telehealth without being subject to penalties under the Health Insurance Portability and Accountability Act regulations (HIPAA). In addition, the Office of Inspector …

HHS Issues Section 1135 Waiver, and CMS Issues Blanket Waivers of Health Care Laws, in Response to Coronavirus (COVID-19) Emergency

Following the President’s proclamation on March 13 that the COVID-19 outbreak constitutes a national emergency, Secretary of the Department of Health and Human Services (HHS) Alex Azar issued a Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (full text available here) that waives or modifies certain health care laws and regulations in connection with the COVID-19 pandemic.  This “1135 Waiver” applies nationwide and took effect on March 15 at 6:00 p.m., but its applicability is retroactive to March 1, 2020.  The 1135 Waiver applies …

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.…

OIG Audit Finds that Majority of Part D Providers Surveyed Used E1 Transactions for Potentially Inappropriate Purposes

The Centers for Medicare and Medicaid Services (CMS) requested an audit by the Office of Inspector General (OIG) of Medicare Part D eligibility verification transactions (E1) transactions. The OIG recently released its report which found that the majority of the providers evaluated used E1 transactions for some inappropriate purpose other than to bill for a prescription or to determine drug coverage billing order.

What are E1 transactions and why is this information disturbing?…

Jackson Health System Fined by OCR

The Office for Civil Rights (OCR) announced on October 23, 2019 that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.

According …

HHS Proposes Changes to Permit Donation of Cybersecurity Technology

On October 17, 2019, the Department of Health and Human Services (HHS) published proposed rules to update the regulatory Anti-Kickback Statute (AKS) safe-harbors and exceptions to the Physician Self-Referral (PSR) Law, known commonly as the Stark Law (AKS proposed rule available here; PSR proposed rule available here). In an earlier blog post, we described each of the proposed rules. Among the proposed changes are a new safe harbor/exception that would generally permit entities to donate certain cybersecurity technology and related services to physicians, subject to compliance with …

Spurred by Opioid Crisis, Government Proposes Additional Changes to Substance Use Disorder Confidentiality Regulations to Facilitate Provision of Coordinated Care

On August 26, 2019, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published a notice of proposed rulemaking (NPRM) to “better align” its substance use disorder (SUD) confidentiality regulations at 42 C.F.R. Part 2 (Part 2) with the needs of providers and patients, and to “facilitate the provision of well-coordinated care” for individuals with SUD.…

Allscripts Announces $145 Million Preliminary Settlement with DOJ Related to an Investigation of Practice Fusion, a Recently Acquired EHR Company

In its second quarter Securities Exchange Commission (SEC) filing, Allscripts addressed its announced agreement in principle with the Department of Justice (DOJ) to resolve investigations into certain alleged practices of Practice Fusion, an electronic health records (EHR) vendor acquired by Allscripts in February 2018 for $100 million. Allscripts indicated the agreement is still subject to further negotiation and government approval, and would likely include additional non-monetary terms, including a deferred prosecution agreement, if a finalized settlement is reached.…

SHIELD Act Becomes Law, Expanding Breach Notification and Data Security Requirements

On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The SHIELD Act modifies the current Breach Notification Law to expand the types of data elements that are considered “private information” and to expand the data breach disclosure requirements for individuals and businesses. Moreover, the law creates a requirement that owners or licensors of private information meet a new “reasonable security requirement.”…

CMS Announces Pilot Program for Clinicians to View Claims Data of Medicare Beneficiaries

On July 30, 2019, the Centers for Medicare & Medicaid Services (CMS) announced “Data at the Point of Care” (DPC), a pilot program that will provide clinicians with access to claims data. The pilot program follows on the heels of the recently proposed Interoperability and Patient Access Proposed Rule, which would require regulated health plans to make patient data available through an application programming interface (API). These actions are also part of the MyHealthEData initiative spearheaded by the White House Office of American Innovation.…

Health Care Organizations Have Highest Costs for Data Breaches

As readers of this blog know, data breaches in the health care industry are all too common. Health care organizations are an attractive target for hackers because of the nature and amount of personal information that they possess.

Therefore, it is perhaps not surprising that healthcare organizations have the highest costs associated with data breaches. They also have significantly higher costs as compared to other industries.

According to the 2019 Cost of a Data Breach Report recently released by the Ponemon Institute and IBM Security, which was based on in-depth …

OIG Issues Alert to Warn of ‘Free’ Genetic Testing Scams Seeking to Steal Information

On June 3, 2019, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a fraud alert to notify consumers about genetic testing fraud schemes (the Alert). According to the OIG, fraudulent actors are using the provision of free genetic testing kits to obtain Medicare information from unwitting consumers, and then using the stolen information for purposes of fraudulent billing and/or identity theft.…

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued …

OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s transition to value-based care models.

In the RFI, OCR requests input on whether and how the HIPAA regulations (i) can be modified to remove regulatory obstacles and burdens to efficient care coordination and …

Laws Affecting Health Care Entities in Connecticut Take Effect October 1, 2018

On October 1, 2018, a number of new laws affecting health care entities in Connecticut became effective. Below please find a brief description of some of the newly-effective provisions, as well as links to our analyses of the changes.…

LexBlog