Tag Archives: enforcement

OCR Loosens HIPAA Enforcement Amidst Coronavirus Pandemic

Let’s face it, there has not been much positive news lately surrounding the Coronavirus (“COVID-19”).  However, the Office For Civil Rights (“OCR”), the agency within the Department of Health and Human Services (“HHS”) that enforces the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules, announced several recent measures to allow health care providers avoid certain HIPAA penalties and sanctions amidst the COVID-19 pandemic.

There are several measures OCR/HHS has taken to lessen the regulatory burden of HIPAA for health care providers amidst COVID-19.  Here is the latest breakdown of important pronouncements and guidance set forth by OCR/HHS to help providers deal with COVID-19 and HIPAA compliance:

Continue reading OCR Loosens HIPAA Enforcement Amidst Coronavirus Pandemic

Cybersecurity and Emergency Preparedness for Long-Term Care

On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.

Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.

Continue reading Cybersecurity and Emergency Preparedness for Long-Term Care