The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information (“PHI”); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on “marketing” activities and the “sale” of PHI.
Click here to read this Overview Summary of the 2013 Amendments. Duane Morris is issuing a series of Alerts on the 2013 Amendments. Please see the in-depth Alerts already distributed by the firm on changes under the 2013 Amendments to the definition of a business associate and changes to the breach notification requirements. We will continue to issue Alerts on discrete HIPAA topics.
One of the most significant changes in the final HIPAA amendments is the Breach Notification Rule, which modifies and clarifies the definition of “breach” and the risk-assessment approach required for breach notification. In light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual arrangements in an effort to avoid potential liability under the Breach Notification Rule.
Click here for more information on the most significant changes to the Breach Notification Rule.
Among the most significant changes of the Final HIPAA amendments are the provisions that extend the Privacy and Security Rules’ stringent compliance obligations to business associates (BA) and expand the definition of BAs to include subcontractors of BAs. Why the changes? The HITECH Act of 2009 specifically extends direct liability to BAs and expands the list of obligations for BAs. The Department of Health & Human Services extends BA obligations even further to ensure the privacy and security of all PHI throughout the HIPAA ecosystem.
Click here to read a summary of the key provisions under the 2013 amendments, as well as factors that may be worthwhile for covered entities and business associates to consider in light of these amendments.
On January 17, 2013 the federal Department of Health & Human Services (“HHS”) announced a final omnibus rule that details amendments to the privacy, security, data breach and enforcement rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The 2013 HIPAA Amendments (which, with commentary from HHS, weighs in at 563 pages) are closely based on statutory changes under the HITECH Act of 2009, and were previewed in proposed and interim rules issued by HHS several years ago. Continue reading HHS (Finally) Announces The HIPAA/HITECH Amendments
‘Mobile health’ (mHealth), which is defined loosely as health care delivered wirelessly, is set to transform health care. A perfect example is the Ford Motor Company’s ‘Car That Cares,’ which it announced at the 2012 International Consumer Electronics Show in Las Vegas in January. The car’s in-vehicle health monitoring system was developed through a collaboration with Microsoft, BlueMetal Architects, and Healthrageous and is designed to support passengers’ personal health and disease management programs. The vehicle’s dashboard is equipped to collect real time biometric and other data, along with voice inputs, to help the passenger comply with his or her health and wellness program through digital coaching (“How much did you eat for breakfast? Did you take your pills?”). The system can also wirelessly connect to other health-related smartphone apps and portable medical devices such as a car seat that measures blood pressure, to alert the passenger to health changes. These apps and devices can then connect to the passenger’s health care provider and electronic health record. The Car That Cares is still in the research phase, giving the public and the regulators time to catch up with this new concept.
Continue reading My Doctor The Car – How Mobile Health (Mhealth) Technologies Are Radically Re-Envisioning Health Care
Expansion of CMS Never Events: They’re Not Just For Medicare Or Just For Hospitals Anymore
In 2005 when “Never Events” were proposed for hospitals through the Deficit Reduction Act, no one knew what the overall effect would be on hospitals or patient care. CMS later developed these and implemented these Never Events under the authority of the DRA to prevent Medicare payment to hospitals for certain “never events” or hospital acquired conditions (HACs) which were conditions that were high volume, involved higher payment, and which could be easily preventable. Now, hospitals and other health care providers have to worry about Never Events in the Medicaid space.
Continue reading Expansion of CMS Never Events: They’re Not Just For Medicare Or Just For Hospitals Anymore