Earlier this week, numerous media outlets reported on the Russian crime ring which had managed to steal more pieces of Internet data than any other group of hackers in history – a whopping collection of at least 1.2 billion user name and password combinations and over 500 million email addresses. The magnitude of data that … Continue Reading
The California Attorney General, Kamala D. Harris, has issued a long-awaited guide on how companies can comply with the California Online Privacy Protection Act (CalOPPA). CalOPPA applies to all companies which collect personally identifiable information from California residents online, regardless of whether that information is collected via a commercial website or a mobile application. This … Continue Reading
Two separate instances of unencrypted laptop theft from different health care providers have resulted in two settlements for potential violations of the HIPAA Privacy and Security Rules. These alleged violations were uncovered following investigations by the Department of Health and Human Services, Office for Civil Rights (OCR). In the first instance, involving Concentra Health Services, OCR found that Concentra had previously recognized its need for increased encryption on its technological devices but had failed to fully address this issue before the breach. In the second instance, involving QCA Health Plan, Inc. of Arkansas, OCR found that QCA had failed to comply with multiple requirements set forth by the HIPAA Security Rule. Both instances resulted in settlements comprised of financial payments to OCR as well as agreement to Corrective Action Plans that will allow for continued oversight by OCR in regards to HIPAA compliance.… Continue Reading
On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. According to Susan McAndrew, deputy director of health … Continue Reading
On February 6, 2014, the U.S. Department of Health & Human Services' (HHS) Centers for Medicare & Medicaid Services, Centers for Disease Control and Prevention, and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 regulations to provide patients with direct access to laboratory test reports. HHS believes that patients should have the right to access these test reports in order to gain vital information, allowing them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply by October 6, 2014.… Continue Reading
The Privacy and Security Tiger Team, a subcommittee of the Office of the National Coordinator for Health IT's HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information contained in an electronic designated record set, concluding that the rule is overbroad and lacks value.… Continue Reading
After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System ("NICS") the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the "mental health prohibitor").
OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.… Continue Reading
According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. The OIG's report concluded that OCR failed to provide for periodic audits to ensure that covered entities were in compliance with the Security Rule, and failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule.… Continue Reading
The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass., to pay $150,000 to the Department of Health and Human Services' Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy, Security, and Breach Notification Rules. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009.… Continue Reading
On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following: … Continue Reading
Recent posts on www.lifescienceslegalupdate.com include:
"OCR Releases HIPAA Guide for Law Enforcement," which links to new references on the HHS website for law enforcement and emergency planners.
View the entire entry:
"OCR Announces Enforcement Delay for CLIA Labs," which references the HHS' decision to delay enforcement of certain requirements pertaining to HIPAA-covered labs.… Continue Reading
The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.
The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS' decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders.… Continue Reading
On September 5, 2013, Adheris, Inc. ("Adheris"), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services ("Secretary"), and the Department of Health & Human Services ("HHS"), challenging the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary's enforcement of these restrictions, which was set to begin on September 23, 2013.
In a joint motion filed by the parties today seeking to suspend the court's schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule's "reasonable in amount" restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.… Continue Reading
Who knew that photocopiers stored information? Apparently "CBS Evening News" did, and now an April 2010 investigative report has led to a million-dollar HIPAA settlement.
Affinity Health Plan, Inc. (Affinity), a New York-based, not-for-profit health plan, agreed to pay the Office for Civil Rights (OCR) $1,215,780 to settle potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resulted from a breach self-report by Affinity, which first learned of the electronic protected health information (PHI) stored on its formerly leased photocopier's hard drive from "CBS Evening News" (CBS).… Continue Reading
This post was written by Daniel Kadar. As a champion for the protection of personally identifiable information and with broad definitions for the concepts of personal and medical data, France has established a very specific set of policies requiring that all bodies hosting medical data must apply for official accreditation or work with an accredited … Continue Reading
Reed Smith’s Global Regulatory Enforcement Law blog features a post on the recent publication of the application decree to the “French Sunshine Act” by the French Ministry of Health. “A Brave New World? The ‘French Sunshine Act’ imposes online disclosure of contracts with HCPs, as well as of payments of ‘advantages’ to HCPs, dating back … Continue Reading
The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers. … Continue Reading
This post was also written by Zachary A. Portin. On April 9, 2013, the Eleventh Circuit held that HIPAA preempts a Florida statute that requires nursing homes to release medical records of deceased residents to their spouses, attorneys-in-fact and other enumerated parties who request them. In Opis Management Resources LLC v. Secretary Florida Agency for … Continue Reading
This post was also written by Zachary A. Portin. Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information? This is … Continue Reading
The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have each proposed new rules to extend existing protections that allow hospitals to donate electronic health record (EHR) technology to physicians who refer patients to their facilities. By way of background, in 2006, CMS established an exception to the Stark self-referral law to allow hospitals to donate EHR technology to physicians under certain circumstances. Likewise, in 2006, the OIG established a safe-harbor to protect such EHR donations from enforcement under the federal anti-kickback statute. While both protections are set to expire on December 31, 2013, the proposed rules would extend the provisions until the end of 2016 as a means to facilitate the adoption of EHR technology.… Continue Reading
Reed Smith's Global Regulatory Enforcement blog features a post on a December 2012 French Supreme Court ruling in a case involving a French Director in a health care company who had been dismissed on the grounds of a clear breach of health care compliance obligations as set forth in the French Public Health Code. The outcome: even though a company is acting in a highly regulated environment such as health care, compliance breaches must be integrated in the employer-employee relationship if they are to justify termination in France. As Reed Smith Partner Daniel Kadar notes, this case serves as a reminder to any international health care organization that the worldwide adoption of compliance guidelines and of a Code of Conduct is not in itself a sufficient protection against compliance breaches - everything depends on how these tools are implemented locally.… Continue Reading
On February 27, 2013, the HHS Office for Civil Rights ("OCR") announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR's health information privacy enforcement team signals that OCR's increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH's Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary's $1.5 million settlement in September. OCR's 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency's focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.… Continue Reading
On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Noteworthy provisions of the HITECH Final Rule include:
- Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
- Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
- Replacing the Breach Notification Rule's "harm" threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
- Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.… Continue Reading
The Office for Civil Rights ("OCR") of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the Genetic Information Nondiscrimination Act ("GINA"), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the "HITECH Final Rule"). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.… Continue Reading