The recently enacted Health Information Technology for Economic and Clinical Health ("HITECH") Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.… Continue Reading
Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.
All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."… Continue Reading
On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the "ARRA"). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.… Continue Reading
On Feb. 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the "ARRA").1 This memorandum outlines significant changes and additions to the landscape of federal privacy and security law set forth in Subtitle D of the ARRA. In general, the privacy and security portions of the ARRA become effective 12 months after the enactment of the ARRA, which is approximately February 2010. It is also important to note that the ARRA directs the Secretary of the U.S. Department of Health & Human Services ("HHS") to amend the HIPAA Privacy and Security Rules to implement the legislative changes. As such, the effective dates associated with the rulemaking process will vary.… Continue Reading
In “Ex Parte Talks Allowed Under Georgia Law For Counsel, Doctors Preempted by HIPAA,” the United States Law Week discusses in detail Moreland v. Austin, Georgia Sup. Ct. No. S08G0498, a November 3, 2008 decision holding that defense attorneys who wish to engage in ex parte communications with plaintiffs’ treating physicians must comply with HIPAA … Continue Reading
Data breaches can occur in any industry, but those that involve medical information create unique problems. Starting January 1, they also will carry unique penalties, at least in California. The new California laws, Senate Bill 541 (SB 541) and Assembly Bill 211 (AB 211). Health care providers clearly need to take heed of the laws’ … Continue Reading
This post was written by Catherine A. Durkin and Areta L. Kupchyk. On May 22, 2008, the Food and Drug Administration (“FDA”) announced plans for what it is calling the “Sentinel System”—a new, national electronic health information surveillance system to track the performance and safety of medical products once they are on the market. In … Continue Reading