Among the most significant changes of the Final HIPAA amendments are the provisions that extend the Privacy and Security Rules’ stringent compliance obligations to business associates (BA) and expand the definition of BAs to include subcontractors of BAs. Why the changes? The HITECH Act of 2009 specifically extends direct liability to BAs and expands the list of obligations for BAs. The Department of Health & Human Services extends BA obligations even further to ensure the privacy and security of all PHI throughout the HIPAA ecosystem.
Click here to read a summary of the key provisions under the 2013 amendments, as well as factors that may be worthwhile for covered entities and business associates to consider in light of these amendments.
On January 17, 2013 the federal Department of Health & Human Services (“HHS”) announced a final omnibus rule that details amendments to the privacy, security, data breach and enforcement rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The 2013 HIPAA Amendments (which, with commentary from HHS, weighs in at 563 pages) are closely based on statutory changes under the HITECH Act of 2009, and were previewed in proposed and interim rules issued by HHS several years ago. Continue reading HHS (Finally) Announces The HIPAA/HITECH Amendments
Mobile health (“mHealth”, “telehealth” or any other terms for health care delivered wirelessly) is revolutionizing the health care industry. That message resounded at last week’s mHealth Summit, which gathered roughly 4,000 investors and angel-funders, telecom and software companies, and entrepreneurs and developers to share ideas and display new mHealth products. Hot mHealth areas include data analytics, texting and medical records. Home health and medical homes also stand to benefit with the introduction of products designed to submit protected health information (“PHI”) and other data between patient and provider. Continue reading mHealth/Telehealth Investors and Entrepreneurs: The Generational Divide
The Minnesota Attorney General is on a mission to eliminate over-aggressive debt collection behavior in the hospital industry. Her target is Accretive Health, Inc., a national company that provides support services to hospitals in Minnesota and other states on debt collection and revenue cycle management using sophisticated data analysis tools. Already other states have announced investigations, and federal investigations are likely to follow. The AG has also raised issues regarding the health system that used Accretive, Fairview Health Services, a nine-hospital system in Minnesota. Any hospital that outsources collections, revenue cycle management and related financial activities, or even performs them in-house, should closely review its compliance with best practices, including the AHA’s Statement on Hospital Billing and Collection Practices, agreed to in writing by many hospitals some years ago.
Continue reading The Accretive Matter Is a Wake-Up Call for Hospitals: Examine Your Debt Collection and Revenue Cycle Practices ASAP
The relationship between privacy and mobile applications is coming into focus. On February 27, 2012, the California Attorney General entered into a Joint Statement of Principles with the six largest mobile application companies – Apple, Google, H-P, Microsoft, Amazon and RIM – regarding consumer privacy and transparency issues when data is collected through an app. http://ag.ca.gov/cms_attachments/press/pdfs/n2647_agreement.pdf. The Five Principles set parameters for good practice. Although not legally binding, the AG promises to review compliance in the fall, and may use California laws on privacy, false advertising, unfair business practices and others as enforcement tools. Since California often leads the way in privacy enforcement it is likely that other states will follow suit.
Continue reading California Spotlights Mobile Applications and Privacy: The Impact on the App (Including the mHealth) Industry
We live in the data age where every day a new technology is announced in business- and consumer-oriented ecommerce and mobile health (mhealth). In response, in recent years, federal and state legislators have enacted strict data privacy and security laws, such as HIPAA, COPPA, and Gramm-Leach-Bliley, to protect data whether in electronic (IT) or physical form. This data is known as protected health information under HIPAA and personally identifiable information under other statutes. New federal and state laws also mandate comprehensive data breach responses, including notifications to individuals whose PHI or PII was breached and some agencies and state attorneys general. The shared premise behind these laws is that the public expects the highest standard of data protection from businesses and government. (Whether or not this is true – after all we regularly give our credit card numbers to anonymous persons over the phone – is a subject for another day…)
Continue reading Warning: If You Handle Protected Health Information (PHI) or Personally Identifiable Information (PII), Buy Data Breach and Security Incident Insurance!
A few thoughts on HIPAA
Real case scenario. A health care provider’s car gets broken into and private health information (“PHI”) is stolen, along with other items. Next steps? Once the provider determines that a breach of unsecured PHI has occurred (an incidental disclosure of PHI does not constitute a breach), the provider should perform a risk assessment to determine whether the event poses a significant risk of financial, reputational or other harm to the patient.
Continue reading Some Thoughts on HIPAA
On December 28, 2010, the Office of the Inspector General published a notice of intent to develop regulations in the Federal Register soliciting recommendations for modifications to the safe harbors under the anti-kickback statute and suggestions for new safe harbors and OIG Special Fraud Alerts. The solicitation was published in accordance with Section 205 of the Health Insurance Portability and Accountability Act of 1996, which requires HHS to publish this formal solicitation annually. The notice lists the criteria that HHS will consider in reviewing the proposals submitted and recommends that proposals be accompanied by supporting data and/or justifications.
To read the notice published in the Federal Register, please go to: http://www.gpo.gov/fdsys/pkg/FR-2010-12-28/pdf/2010-32705.pdf.