On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH's Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.
The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR's investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.
According to OCR's investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.
In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.
Additional information about OCR's enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.… Continue Reading
On December 19, 2011, the Centers for Medicare & Medicaid Services ("CMS") published a proposed rule (the "Proposed Rule") related to section 6002 of the Affordable Care Act, commonly referred to as the "Physician Payment Sunshine Act." The Physician Payment Sunshine Act requires applicable manufacturers of drugs, devices, biologicals, or medical supplies covered under Medicare, Medicaid, or CHIP to report annually to the Secretary of the Department of Health and Human Services ("Secretary") certain payments or other transfers of value to physicians and teaching hospitals. Additionally, applicable manufacturers and applicable group purchasing organizations ("GPOs") must report certain information regarding the ownership or investment interests in them that are held by physicians or their immediate family members.… Continue Reading
To implement the HITECH Act's mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.… Continue Reading
On Friday, October 7, 2011, the Centers for Medicare & Medicaid Services ("CMS") and the Food and Drug Administration ("FDA") (collectively, the "Agencies") announced they were soliciting nominations from sponsors of medical devices to participate in the Agencies' parallel review pilot program. The Agencies officially published a Federal Register notice announcing the program October 11, 2011 (the "Notice"), with an effective date of November 10, 2011, although the Agencies began accepting nomination submissions October 7.… Continue Reading
Notably absent from last month's Department of Health and Human Services Semiannual Regulatory Agenda was any indication of where the Centers for Medicare and Medicaid Services ("CMS") and the Food and Drug Administration ("FDA") stand with respect to their notice with request for comments, issued last fall, on the proposed parallel review process for medical products. While CMS and FDA officials confirmed that they are currently reviewing comments submitted during the review period, they declined to speculate on when they intend to act. The comments submitted, however, provide insight into industry views on this important issue, including widespread discontent with the approval mechanisms currently available. We have undertaken a review of all of the comments submitted and extracted the eight main concerns cited in the following analysis.… Continue Reading
On June 9, 2011, Senator Orrin Hatch released a report by the Senate Finance Committee Minority Staff that outlines key concerns about Physician-Owned Distributors ("PODs"), specifically regarding the lack of regulatory oversight and clear guidance from the Department of Health and Human Services Office of Inspector General ("OIG"). The Committee Minority's report, Physician Owned Distributors (PODs): An Overview of Key Issues and Potential Areas for Congressional Oversight, set forth findings of committee staff who spoke to over fifty people and reviewed thousands of pages of documents. In addition to the report, the Chairman and Ranking Members of the Senate Financial Committee, Special Committee on Aging, and Judiciary Committee sent letters on the same day to the Administrator for Centers for Medicare & Medicaid Services ("CMS") and the Inspector General of Health and Human Services ("HHS") requesting further inquiry into the concerns set out in the Senator Hatch's report.… Continue Reading
Today the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). Pursuant to the HITECH Act and its more general authority under HIPAA, HHS proposed to divide the Privacy Rule provisions related to an accounting into two separate individual rights: (1) an accounting and, (2) an access report.… Continue Reading
This post was also written by Gina M. Cavalier and Vicky G. Gormanly. Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current … Continue Reading
Earlier today the Department of Health and Human Services’ (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty – which is $4.3 million – was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA … Continue Reading
The New Jersey Department of Human Services ("Department") has sent letters to numerous pharmaceutical manufacturers demanding rebate payments under the Work First New Jersey General Public Assistance/Medicare Part D Wraparound Drug Rebate Program ("GA Rebate Program"). The Department is seeking to collect payments from manufacturers that have chosen not to participate in the GA Rebate Program and thus never entered into a GA Rebate Program agreement with the Department ("Rebate Agreement"). In addition, for some manufacturers that have entered into Rebate Agreements, the Department is now seeking payments for time periods prior to the effective dates of those Rebate Agreements.… Continue Reading
According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011. Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of the Privacy and Security Rules.… Continue Reading
The Department of Health and Human Services (HHS) has announced that its development of a Final Breach Notification Rule (currently, the rule is in interim final form) has been stalled, as the final rule was withdrawn from consideration of the Office of Management and Budget in order for HHS to give further consideration to what the final rule should include. HHS has remained relatively quite regarding the development of a Final Breach Notification Rule, but has announced that it intends for a final rule to be published "in the coming months."… Continue Reading
HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009). The advance version of the rule can be accessed here; the official version will be published July 14. A press release should be available later this morning.… Continue Reading
In April 2010, Reed Smith provided an extensive analysis of the recently-enacted health reform legislation, H.R. 3590, the Patient Protection and Affordable Care Act (PPACA), as amended by H.R. 4872, the Health Care and Education Reconciliation Act of 2010 (Reconciliation Act). In this analysis, we concentrate on those provisions in the new law that will … Continue Reading
This post was also written by Robert J. Hill and Jennifer A. Goldstein. In April 2010, Reed Smith provided an extensive analysis of the recently-enacted health reform legislation, H.R. 3590, the Patient Protection and Affordable Care Act (PPACA), as amended by H.R. 4872, the Health Care and Education Reconciliation Act of 2010 (Reconciliation Act). In this analysis, … Continue Reading
In April 2010, Reed Smith provided an extensive analysis of the recently-enacted health reform legislation, H.R. 3590, the Patient Protection and Affordable Care Act (PPACA), as amended by H.R. 4872, the Health Care and Education Reconciliation Act of 2010 (Reconciliation Act). Together, these sweeping measures expand access to health insurance (including subsidies, mandates, and market reforms); reduce health care spending (particularly in the Medicare program); expand federal fraud and abuse authorities and transparency requirements; impose new taxes and fees on health industry sectors; and institute a variety of other health policy reforms.… Continue Reading
Last week, in my capacity as president of the American Health Lawyers Association, I attended the first National Summit on Health Care Fraud, a joint undertaking by the U.S. Department of Health and Human Services and the U.S. Department of Justice. The conference brought together private sector leaders, law enforcement personnel, and health care experts as part of the Obama Administration's coordinated effort to fight health care fraud. This was the first national gathering on health care fraud between law enforcement and the private and public sectors.… Continue Reading
On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH Act. Consistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009.… Continue Reading
On September 17, 2009, the White House released a "Patient Safety and Medical Liability Reform Demonstration" Fact Sheet, which outlines a new $25 million Department of Health and Human Services initiative designed to help states and health care systems identify new models for managing medical liability claims. The three-pronged initiative will support competitive grants to states and health systems with a focus on the development, implementation and evaluation of alternatives to improve health care quality and patient safety while reducing medical liability.… Continue Reading
