The U.S. Department of Health and Human Services Office for Civil Rights’ (OCR) recent imposition of a civil monetary penalty (CMP) against a Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entity demonstrates the need to ensure that HIPAA compliance programs are in place, are audited regularly, and emphasize the importance of promptly … Continue Reading
Last Thursday, the California Attorney General, Xavier Becerra, released the long-awaited text of the proposed California Consumer Privacy Act (CCPA) regulations. Once finalized, these 24 pages of regulations will govern compliance with the CCPA. While the draft regulations provide insight into how regulated entities must address verification of consumer requests and clarifies aspects of how … Continue Reading
On Friday, April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”), confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. In doing so, HHS announced the abandonment … Continue Reading
In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading
Businesses working with U.S. customer or employee data are very familiar with the roles the Federal Trade Commission (FTC), U.S. Department of Health and Human Services, and other federal agencies play in privacy regulation and enforcement. But, increasingly, if your company ends up facing a health – or other data – incident, you may find … Continue Reading
On October 27, 2015, a U.S. Department of Health and Human Services (“HHS”) official stated that the agency has hired FCi Federal, a provider of management and professional services to government agencies in Ashburn, VA, to conduct the second round of Health Insurance Portability and Accountability Act (“HIPAA”) data security audits. Similar to the Phase … Continue Reading
Two separate instances of unencrypted laptop theft from different health care providers have resulted in two settlements for potential violations of the HIPAA Privacy and Security Rules. These alleged violations were uncovered following investigations by the Department of Health and Human Services, Office for Civil Rights (OCR). In the first instance, involving Concentra Health Services, OCR found that Concentra had previously recognized its need for increased encryption on its technological devices but had failed to fully address this issue before the breach. In the second instance, involving QCA Health Plan, Inc. of Arkansas, OCR found that QCA had failed to comply with multiple requirements set forth by the HIPAA Security Rule. Both instances resulted in settlements comprised of financial payments to OCR as well as agreement to Corrective Action Plans that will allow for continued oversight by OCR in regards to HIPAA compliance.… Continue Reading
On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. According to Susan McAndrew, deputy director of health … Continue Reading
On February 6, 2014, the U.S. Department of Health & Human Services' (HHS) Centers for Medicare & Medicaid Services, Centers for Disease Control and Prevention, and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 regulations to provide patients with direct access to laboratory test reports. HHS believes that patients should have the right to access these test reports in order to gain vital information, allowing them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply by October 6, 2014.… Continue Reading
The Privacy and Security Tiger Team, a subcommittee of the Office of the National Coordinator for Health IT's HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information contained in an electronic designated record set, concluding that the rule is overbroad and lacks value.… Continue Reading
According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. The OIG's report concluded that OCR failed to provide for periodic audits to ensure that covered entities were in compliance with the Security Rule, and failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule.… Continue Reading
On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following: … Continue Reading
Recent posts on www.lifescienceslegalupdate.com include:
"OCR Releases HIPAA Guide for Law Enforcement," which links to new references on the HHS website for law enforcement and emergency planners.
View the entire entry:
"OCR Announces Enforcement Delay for CLIA Labs," which references the HHS' decision to delay enforcement of certain requirements pertaining to HIPAA-covered labs.… Continue Reading
The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.
The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS' decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders.… Continue Reading
On September 5, 2013, Adheris, Inc. ("Adheris"), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services ("Secretary"), and the Department of Health & Human Services ("HHS"), challenging the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary's enforcement of these restrictions, which was set to begin on September 23, 2013.
In a joint motion filed by the parties today seeking to suspend the court's schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule's "reasonable in amount" restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.… Continue Reading
Who knew that photocopiers stored information? Apparently "CBS Evening News" did, and now an April 2010 investigative report has led to a million-dollar HIPAA settlement.
Affinity Health Plan, Inc. (Affinity), a New York-based, not-for-profit health plan, agreed to pay the Office for Civil Rights (OCR) $1,215,780 to settle potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resulted from a breach self-report by Affinity, which first learned of the electronic protected health information (PHI) stored on its formerly leased photocopier's hard drive from "CBS Evening News" (CBS).… Continue Reading
The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have each proposed new rules to extend existing protections that allow hospitals to donate electronic health record (EHR) technology to physicians who refer patients to their facilities. By way of background, in 2006, CMS established an exception to the Stark self-referral law to allow hospitals to donate EHR technology to physicians under certain circumstances. Likewise, in 2006, the OIG established a safe-harbor to protect such EHR donations from enforcement under the federal anti-kickback statute. While both protections are set to expire on December 31, 2013, the proposed rules would extend the provisions until the end of 2016 as a means to facilitate the adoption of EHR technology.… Continue Reading
On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Noteworthy provisions of the HITECH Final Rule include:
- Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
- Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
- Replacing the Breach Notification Rule's "harm" threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
- Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.… Continue Reading
The Office for Civil Rights ("OCR") of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the Genetic Information Nondiscrimination Act ("GINA"), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the "HITECH Final Rule"). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.… Continue Reading
On January 2, 2013, the HHS Office for Civil Rights ("OCR") announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho ("HONI") has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information ("ePHI") for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.… Continue Reading
It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights ("OCR"), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget ("OMB") for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.… Continue Reading
The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule. This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.… Continue Reading
On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity's breach self-report required by HITECH's Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician's unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity's general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.… Continue Reading
On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals. The settlement resulted from the hospital’s data breach report to the Attorney General in July … Continue Reading