Posted on August 4, 2011 by Lisa Baird

Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing - Health Care in the Cloud

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

Tags: , , , , , , , ,
Posted on May 18, 2011 by Gina M. Cavalier

CMS' Oversight of Security Rule "Not Sufficient" According to the OIG

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

On May 16, 2011, the Office of Inspector General (“OIG”) published a report with the results from its nationwide review of the Centers for Medicare and Medicaid Services (“CMS’”) oversight of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In its review, the OIG sought to determine the sufficiency of CMS’ oversight and enforcement actions pertaining to hospitals’ implementation of the HIPAA Security Rule. Pursuant to the Security Rule, covered entities, such as hospitals, must implement technical, physical, and administrative safeguards for the protection of electronic protected health information (“ePHI”). According to the OIG, CMS’ oversight and enforcement actions were “not sufficient,” leaving limited assurance of the security of hospitals’ ePHI.

The report details the results from the OIG’s audits of seven hospitals. The audits disclosed “numerous internal control weaknesses.” Specifically, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI. Of these vulnerabilities, 124 were categorized as “high impact.” These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. The consequences of the high impact vulnerabilities is that it (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. 

Tags: , , , , , , ,
Posted on October 29, 2010 by Vicky G. Gormanly

Final HITECH Privacy and Security Rule Expected Soon

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011.   Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of  the Privacy and Security Rules. 

We'll keep you posted as things progress . . .

Tags: , , , , , , ,
Posted on May 18, 2010 by Lisa Baird

Mexico's Senate Passes Federal Law for Protection of Personal Data

This post was written by Mark S. Melodia, Cynthia O'Donoghue and Anthony S. Traymore

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)).  President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data, including life sciences and health care clients.

To read the full alert, click here.

Tags: , , , , , , ,
Posted on December 17, 2009 by Daniel A. Cody

California Health Care Update: New Laws Adopted in 2009 and Effective in 2010

This post was written by Daniel A. Cody, Paul W. Pitts and Alison B. Riddell.

Although California legislators devoted a significant amount of time and resources to addressing the state’s budget shortfall and the economic recession, the 2009 legislature debated and passed a surprising number of bills related to health care, many of which will become effective January 1, 2010. New laws impacting California health care providers include:

  • Amendments to the 2008 law requiring certain health care providers to disclose unlawful and unauthorized uses or disclosure of medical information
  • Laws requiring the Department of Public Health [www.cdph.ca.gov] to more timely process and approve applications for new or modified hospital outpatient services
  • Provisions impacting the delivery of radiologic and diagnostic imaging services, such as permitting physician assistants to provide fluoroscopy services under the supervision of a physician
  • Amendments to California’s False Claim Act that expand the types of claims subject to the law, extend the state’s prosecutorial authority, and increase the penalties for violating the statute
  • Laws stating that long-term care providers will be subject to new ownership disclosure requirements
  • Passing Assembly Bill 215, which makes California one of the first states to recognize and incorporate the controversial Five-Star Quality Rating for nursing facilities as created by the Centers for Medicare & Medicaid Services

For the full summary of major legislation impacting California physicians, hospitals, nursing facilities, and other licensed health care facilities, read our client alert.

Tags: , , , , , , , ,
Posted on March 2, 2009 by Lisa Baird

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

This post was written by Brad M. Rostolsky, Gina M. Cavalier, Debra L. Hutchings, Kerry A. Kearney, and Mark S. Melodia.

On Feb. 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”).1 This memorandum outlines significant changes and additions to the landscape of federal privacy and security law set forth in Subtitle D of the ARRA. In general, the privacy and security portions of the ARRA become effective 12 months after the enactment of the ARRA, which is approximately February 2010. It is also important to note that the ARRA directs the Secretary of the U.S. Department of Health & Human Services (“HHS”) to amend the HIPAA Privacy and Security Rules to implement the legislative changes. As such, the effective dates associated with the rulemaking process will vary.

Click here to read the full alert.

Tags: , , , , , ,