On August 5, 2016, the Centers for Medicare and Medicaid Services (CMS) published a Survey and Certification Memorandum (Notice) urging State health departments to enforce violations by nursing homes in posting patient images on social media. This development was interesting given that the Office for Civil Rights (OCR), the enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, presumably should already be cracking down on any such violations of resident rights as a violation of HIPAA. According to Modern Healthcare, increased instances of nursing home staff inappropriately posting resident pictures on social media may have sparked this pronouncement by CMS.
Specifically, CMS will more strictly enforce, through State agencies, corrective actions to ensure that employee postings of residents in a degrading manner do not occur in the nursing home setting. Interestingly, the Notice does not discuss nursing homes reporting such employee conduct to OCR, but does indicate that employees should report such postings on social media of residents as abuse “to at least one law enforcement agency.” Continue reading Government Cracks Down On Nursing Home Use of Social Media
Although the professional component of coding for evaluation and management services (“E&M Services”) has been scrutinized over the years, until recently, little attention has been given to coding practices for the facility component of these services—including emergency department facility services. In a September 24, 2012, letter written by Kathleen Sebelius, Secretary, U.S. Department of Health and Human Services (HHS); and Eric Holder, Jr., Attorney General, U.S. Department of Justice, to hospital leadership throughout the United States, HHS and the Justice Department expressed their concern that hospitals may be inappropriately coding E&M Services. Specifically, the letter notes that “CMS is initiating more extensive medical reviews to ensure that providers are coding evaluation and management services accurately.” In light of the recent attention on emergency department facility component coding practices, an area that so far has largely been overlooked by the regulators, any facility that has not reviewed its coding practices for the facility component of E&M Services may want to consider doing so at this time.
Click here to read the full Alert.
The meaningful use (MU) regulations provide incentive monies for hospitals and physicians that establish electronic health records systems (EHRs) and satisfy other criteria, such as providing new forms of ‘patient engagement’ like technologically-enabled patient-provider communications. The advantages of a wireless record-sharing are enormous – quicker diagnoses, better quality tracking, and seamless payment systems. But there are lots of steps and decisions required in setting up EHRs and developing broader data exchange systems like health information organizations/exchanges (HIOs or HIEs). Last week, the Department of Health and Human Services’ Office of the National Coordinator denied certification for two small EHRs and promised ongoing rigorous enforcement of EHRs. Continue reading Electronic Health Records and Health Information Exchanges/Organizations: The Changing Landscape
The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as “covered entities,” as well as their subcontractors and vendors as “business associates” (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.
Continue reading HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others
HIPAA-covered entities and many of their vendors—among them are HIO and EHR consultants, data analytic firms, data transmission facilitators, software vendors and device vendors—rely on health information technology (HIT) to accomplish their purposes. Large data companies, small entrepreneurs and investors are participating in the growth of HIT.
Continue reading What the New HIPAA Rules Say About Health Information Technology for Users, Developers and Investors
Because HIPAA includes employer-sponsored group health plans under the definition of insurers, employers that sponsor plans are also affected by the GINA amendments to the HIPAA Privacy Rule (“the GINA amendments”). In addition, the GINA amendments will have applicability beyond the insurance industry because they draw distinctions between permissible and impermissible uses of “genetic information” in connection with the diagnosis of a medical condition. Click here to read more about how the new HIPAA rules regarding genetic information affect employers, group health plans, health insurers and healthcare providers.
Continue reading New HIPAA Rules Regarding Genetic Information Affect Employers, Group Health Plans, Health Insurers and Healthcare Providers
Employers that sponsor group health plans for their employees should pay careful attention to the newly announced final omnibus rule amending HIPAA in accordance with the HITECH Act of 2009. This final rule under the HITECH Act, issued on January 17, 2013, impacts group health plans in two significant ways. Group health plan sponsors should act now to make changes to existing plan documents, including HIPAA procedures and business associate agreements, in response to the Final Rule.
Click here for an overview of how HIPAA generally applies in the context of employer-sponsored group health plans and these significant changes impacting group health plans.
Continue reading Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans
The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information (“PHI”), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
Click here to read more about the HIPAA “minimum necessary” standard—one of the most essential, yet vague, aspects of the HIPAA Rules.
Continue reading HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever
The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information (“PHI”); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on “marketing” activities and the “sale” of PHI.
Click here to read this Overview Summary of the 2013 Amendments. Duane Morris is issuing a series of Alerts on the 2013 Amendments. Please see the in-depth Alerts already distributed by the firm on changes under the 2013 Amendments to the definition of a business associate and changes to the breach notification requirements. We will continue to issue Alerts on discrete HIPAA topics.
One of the most significant changes in the final HIPAA amendments is the Breach Notification Rule, which modifies and clarifies the definition of “breach” and the risk-assessment approach required for breach notification. In light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual arrangements in an effort to avoid potential liability under the Breach Notification Rule.
Click here for more information on the most significant changes to the Breach Notification Rule.