Tag Archives: hipaa

Cybersecurity and Emergency Preparedness for Long-Term Care

On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.

Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.

Continue reading Cybersecurity and Emergency Preparedness for Long-Term Care

Government Cracks Down On Nursing Home Use of Social Media

On August 5, 2016, the Centers for Medicare and Medicaid Services (CMS) published a Survey and Certification Memorandum (Notice) urging State health departments to enforce violations by nursing homes in posting patient images on social media. This development was interesting given that the Office for Civil Rights (OCR), the enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, presumably should already be cracking down on any such violations of resident rights as a violation of HIPAA. According to Modern Healthcare, increased instances of nursing home staff inappropriately posting resident pictures on social media may have sparked this pronouncement by CMS.

Specifically, CMS will more strictly enforce, through State agencies, corrective actions to ensure that employee postings of residents in a degrading manner do not occur in the nursing home setting. Interestingly, the Notice does not discuss nursing homes reporting such employee conduct to OCR, but does indicate that employees should report such postings on social media of residents as abuse “to at least one law enforcement agency.” Continue reading Government Cracks Down On Nursing Home Use of Social Media

WellPoint Pays HHS $1.7 Million to Settle HIPAA Security Violations

Covered Entities Cautioned Regarding Use of Business Associates

On July 8, 2013, health insurer WellPoint, Inc. entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS), agreeing to pay HHS $1.7 million to resolve an HHS complaint regarding violations of the HIPAA Privacy and Security Rules during the period of October 23, 2009, through March 7, 2010. WellPoint reported a breach of electronic protected health information (ePHI) on June 18, 2010, leading to an HHS investigation that commenced on September 9, 2010.

The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.

Click here to read the full Alert.

Final HIPAA Wellness Program Regulations Issued Under Affordable Care Act

On June 3, 2013, the U.S. Department of Labor, Department of Health and Human Services, Internal Revenue Service, Employee Benefits Security Administration and Department of the Treasury published in the Federal Register final guidance regarding nondiscriminatory wellness programs under employer-sponsored group health plans. This final guidance was issued in the form of much-anticipated joint final regulations on such wellness programs (the “Final Regulations”). It is important to note that the Final Regulations will apply to wellness programs offered under all group health plans [regardless of whether the plan is “grandfathered” under the Patient Protection and Affordable Care Act (the “Affordable Care Act”)]. Moreover, these Final Regulations will be effective for plan years beginning on or after January 1, 2014.

Continue reading Final HIPAA Wellness Program Regulations Issued Under Affordable Care Act

HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others

The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as “covered entities,” as well as their subcontractors and vendors as “business associates” (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.

Continue reading HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others

What the New HIPAA Rules Say About Health Information Technology for Users, Developers and Investors

HIPAA-covered entities and many of their vendors—among them are HIO and EHR consultants, data analytic firms, data transmission facilitators, software vendors and device vendors—rely on health information technology (HIT) to accomplish their purposes. Large data companies, small entrepreneurs and investors are participating in the growth of HIT.

Continue reading What the New HIPAA Rules Say About Health Information Technology for Users, Developers and Investors

Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans

Employers that sponsor group health plans for their employees should pay careful attention to the newly announced final omnibus rule amending HIPAA in accordance with the HITECH Act of 2009. This final rule under the HITECH Act, issued on January 17, 2013, impacts group health plans in two significant ways. Group health plan sponsors should act now to make changes to existing plan documents, including HIPAA procedures and business associate agreements, in response to the Final Rule.

Click here for an overview of how HIPAA generally applies in the context of employer-sponsored group health plans and these significant changes impacting group health plans.

Continue reading Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans

HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever

The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information (“PHI”), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Click here to read more about the HIPAA “minimum necessary” standard—one of the most essential, yet vague, aspects of the HIPAA Rules.

Continue reading HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever

Overview of 2013 Amendments to HIPAA Privacy, Security, Breach Notification and Enforcement Rules

The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information (“PHI”); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on “marketing” activities and the “sale” of PHI.

Click here to read this Overview Summary of the 2013 Amendments. Duane Morris is issuing a series of Alerts on the 2013 Amendments. Please see the in-depth Alerts already distributed by the firm on changes under the 2013 Amendments to the definition of a business associate and changes to the breach notification requirements. We will continue to issue Alerts on discrete HIPAA topics.

New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered Entities

One of the most significant changes in the final HIPAA amendments is the Breach Notification Rule, which modifies and clarifies the definition of “breach” and the risk-assessment approach required for breach notification. In light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual arrangements in an effort to avoid potential liability under the Breach Notification Rule.

Click here for more information on the most significant changes to the Breach Notification Rule.