In an unprecedented settlement arising from a federal lawsuit in the U.S. District Court for the Northern District of Indiana, a medical software provider agreed to pay $900,000 to 16 state attorneys general (AGs) for alleged violations of a conglomerate of state and federal privacy laws. The settlement represents the resolution of the first-ever multistate data … Continue Reading
The HHS Office of Civil Rights (“OCR”) published a final rule May 18, 2016, broadening the nondiscrimination requirements applicable to all health programs and activities receiving federal financial assistance from HHS, those administered by HHS, and Health Insurance Marketplaces. The final rule implements section 1557 of the ACA and adds two important categories of protections: … Continue Reading
In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading
The 2013 changes to HIPAA’s privacy and security regulations in combination with the government’s bolstered approach to compliance and enforcement reinforces the need for health care providers to remain focused on preparing for the inevitable likelihood that privacy or security issues will occur. With the number of significant data breaches expected to rise, it is … Continue Reading
More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading
The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights ("OCR"), the agency responsible for enforcing the Health Insurance Portability and Accountability Act ("HIPAA"), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled "HIPAA Privacy In Emergency Situations," provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.… Continue Reading
On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following: … Continue Reading
Recent posts on www.lifescienceslegalupdate.com include:
"OCR Releases HIPAA Guide for Law Enforcement," which links to new references on the HHS website for law enforcement and emergency planners.
View the entire entry:
"OCR Announces Enforcement Delay for CLIA Labs," which references the HHS' decision to delay enforcement of certain requirements pertaining to HIPAA-covered labs.… Continue Reading
The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.
The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS' decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders.… Continue Reading
On September 5, 2013, Adheris, Inc. ("Adheris"), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services ("Secretary"), and the Department of Health & Human Services ("HHS"), challenging the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary's enforcement of these restrictions, which was set to begin on September 23, 2013.
In a joint motion filed by the parties today seeking to suspend the court's schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule's "reasonable in amount" restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.… Continue Reading
On February 27, 2013, the HHS Office for Civil Rights ("OCR") announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR's health information privacy enforcement team signals that OCR's increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH's Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary's $1.5 million settlement in September. OCR's 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency's focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.… Continue Reading
On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Noteworthy provisions of the HITECH Final Rule include:
- Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
- Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
- Replacing the Breach Notification Rule's "harm" threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
- Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.… Continue Reading
The Office for Civil Rights ("OCR") of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the Genetic Information Nondiscrimination Act ("GINA"), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the "HITECH Final Rule"). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.… Continue Reading
On January 2, 2013, the HHS Office for Civil Rights ("OCR") announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho ("HONI") has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information ("ePHI") for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.… Continue Reading
It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights ("OCR"), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget ("OMB") for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.… Continue Reading
The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule. This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.… Continue Reading