On April 17, 2018, FDA announced its plan to launch the Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health (Action Plan), which aims to support and advance innovation in medical devices while also assuring the safety of the devices throughout their Total Product Life Cycle (TPLC). To that end, FDA intends to focus … Continue Reading
On December 8, 2017 – nearly a year after President Obama signed into law the 21st Century Cures Act (“Cures Act”) – the Food and Drug Administration (“FDA”) released two new draft guidances that aim to implement section 3060 of the Cures Act, and provide clarity on the Agency’s regulatory approach to software as a … Continue Reading
By Jennifer Pike and Brad Rostolsky on Posted in Privacy & HIPAA
In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading
It has been a busy winter for the US Department of Health and Human Service, Office for Civil Rights (“OCR”). Since November 2015, the agency has announced three settlements and one civil money penalty judgment amounting to over $5 million in fines and settlements. Most recently, on February 3, 2016, a U.S. Department of Health … Continue Reading
More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading
The HHS Office for Civil Rights recently announced a settlement and corrective action plan with Cornell Prescription Pharmacy (CPP), a small for-profit, single location, compounding pharmacy located in Denver, CO. CPP has agreed to pay $125,000 and enter into a corrective action plan to settle potential violations of the HIPAA Privacy Rule. This outcome is indicative of OCR's unwillingness to demonstrate wide variance in its enforcement response based on the size of an affected covered entity or the number of patients involved in a potential HIPAA violation.… Continue Reading
Last week, President Obama signed into law a bill that will eradicate Social Security Numbers (SSNs) from all Medicare beneficiary cards over the next eight years. Medicare has four years to begin issuing cards with new identifiers, and four years after that to reissue cards to current beneficiaries. The removal of SSNs from the cards is not only expected to decrease the risks associated with identity theft for Medicare beneficiaries, but also Medicare's risk of exposure associated with breaches of protected health and personal information under HIPAA and state privacy laws.… Continue Reading
The Food and Drug Administration (FDA) has issued a notice announcing the availability of a draft guidance document clarifying its acceptance of medical device clinical data from studies conducted in countries other than the United States. The document is intended to provide guidance regarding the 2012 Food and Drug Administration Safety and Innovation Act § 1123, amending Food, Drug & Cosmetic Act § 569B, which codified FDA's policy of accepting scientifically-valid clinical data obtained from non-U.S. clinical studies in support of premarket submissions for medical devices.… Continue Reading
On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. According to Susan McAndrew, deputy director of health … Continue Reading
On December 11, 2013, CMS released an advance notice of proposed rulemaking soliciting comments on specific practices for which civil monetary penalties may or may not be imposed for failure to comply with Medicare Secondary Payer reporting requirements. Among other issues, CMS is seeking comments and proposals on mechanisms and criteria that it would use to evaluate whether and when it would impose penalties for noncompliance with Medicare Secondary Payer reporting requirements.… Continue Reading
The Privacy and Security Tiger Team, a subcommittee of the Office of the National Coordinator for Health IT's HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information contained in an electronic designated record set, concluding that the rule is overbroad and lacks value.… Continue Reading
After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System ("NICS") the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the "mental health prohibitor").
OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.… Continue Reading
By Brad Rostolsky and Jennifer Pike on Posted in Privacy & HIPAA
On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following: … Continue Reading
By Brad Rostolsky and Jennifer Pike on Posted in Privacy & HIPAA
Recent posts on www.lifescienceslegalupdate.com include:
"OCR Releases HIPAA Guide for Law Enforcement," which links to new references on the HHS website for law enforcement and emergency planners.
View the entire entry:
https://www.lifescienceslegalupdate.com/2013/09/articles/data-privacy/ocr-releases-hipaa-guide-for-law-enforcement/
...and
"OCR Announces Enforcement Delay for CLIA Labs," which references the HHS' decision to delay enforcement of certain requirements pertaining to HIPAA-covered labs.… Continue Reading
The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.
The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS' decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders.… Continue Reading
On September 5, 2013, Adheris, Inc. ("Adheris"), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services ("Secretary"), and the Department of Health & Human Services ("HHS"), challenging the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary's enforcement of these restrictions, which was set to begin on September 23, 2013.
In a joint motion filed by the parties today seeking to suspend the court's schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule's "reasonable in amount" restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.… Continue Reading
Who knew that photocopiers stored information? Apparently "CBS Evening News" did, and now an April 2010 investigative report has led to a million-dollar HIPAA settlement.
Affinity Health Plan, Inc. (Affinity), a New York-based, not-for-profit health plan, agreed to pay the Office for Civil Rights (OCR) $1,215,780 to settle potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resulted from a breach self-report by Affinity, which first learned of the electronic protected health information (PHI) stored on its formerly leased photocopier's hard drive from "CBS Evening News" (CBS).… Continue Reading
The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers. … Continue Reading
The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have each proposed new rules to extend existing protections that allow hospitals to donate electronic health record (EHR) technology to physicians who refer patients to their facilities. By way of background, in 2006, CMS established an exception to the Stark self-referral law to allow hospitals to donate EHR technology to physicians under certain circumstances. Likewise, in 2006, the OIG established a safe-harbor to protect such EHR donations from enforcement under the federal anti-kickback statute. While both protections are set to expire on December 31, 2013, the proposed rules would extend the provisions until the end of 2016 as a means to facilitate the adoption of EHR technology.… Continue Reading
On March 7, 2013, the New Jersey Assembly Appropriations Committee approved legislation related to off-label drug coverage. Assembly bill A1830 would require health benefits plans offered to individuals and small employers, the State Health Benefits Program (SHBP) and the School Employees' Health Benefits Program (SEHBP), to provide coverage for certain off-label uses for drugs that are approved by the U.S. Food and Drug Administration. The health plans would be required to provide coverage for off-label use of a drug if the drug is recognized as being medically appropriate for the specific treatment for which is has been prescribed in one of two established reference compendia (the American Hospital Formulary Service Drug Information or the U.S. Pharmacopeia Drug Information), or if the drug is recommended by a clinical study or review article in a major peer-reviewed professional journal. According to bill sponsor Herb Conaway M.D., "the purpose of [the] bill is to extend the medical benefits that may derive from the use of off-label drugs to individuals who may not be able to access these medications. In particular those individuals who are suffering from a terminal or chronically debilitating illness, because their insurance carriers won't cover these drugs." The full text and status of the bill are available here.… Continue Reading
On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Noteworthy provisions of the HITECH Final Rule include:
- Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
- Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
- Replacing the Breach Notification Rule's "harm" threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
- Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.… Continue Reading