Tag Archives: privacy

The CARES Act Amends Federal Law Governing the Confidentiality of Substance Use Disorder Patient Records

The CARES Act (the “Act”), enacted on March 27, 2020, makes notable changes to federal law governing the disclosure of substance use disorder (“SUD”) records.  The Act amends 42 U.S.C. 290dd-2, the governing statute of the regulations at 42 C.F.R. Part 2 (“Part 2”) to better align certain of its confidentiality requirements with HIPAA. The amendments do not change the basic premise that prior written consent of the patient is required for disclosure of SUD treatment records. However, once prior written consent of the patient is obtained, the amendments allow a covered entity, business associate, or Part 2 program to use or disclose SUD records for purposes of treatment, payment, and health care operations as permitted by HIPAA. Any information so disclosed may then be redisclosed in accordance with the HIPAA regulations. The amendments also allow a patient’s prior written consent to be given once for all such future uses or disclosures for purposes of treatment, payment, and health care operations, until the patient revokes his or her consent in writing. Continue reading The CARES Act Amends Federal Law Governing the Confidentiality of Substance Use Disorder Patient Records

OCR Loosens HIPAA Enforcement Amidst Coronavirus Pandemic

Let’s face it, there has not been much positive news lately surrounding the Coronavirus (“COVID-19”).  However, the Office For Civil Rights (“OCR”), the agency within the Department of Health and Human Services (“HHS”) that enforces the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules, announced several recent measures to allow health care providers avoid certain HIPAA penalties and sanctions amidst the COVID-19 pandemic.

There are several measures OCR/HHS has taken to lessen the regulatory burden of HIPAA for health care providers amidst COVID-19.  Here is the latest breakdown of important pronouncements and guidance set forth by OCR/HHS to help providers deal with COVID-19 and HIPAA compliance:

Continue reading OCR Loosens HIPAA Enforcement Amidst Coronavirus Pandemic

Cybersecurity and Emergency Preparedness for Long-Term Care

On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.

Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.

Continue reading Cybersecurity and Emergency Preparedness for Long-Term Care

Government Cracks Down On Nursing Home Use of Social Media

On August 5, 2016, the Centers for Medicare and Medicaid Services (CMS) published a Survey and Certification Memorandum (Notice) urging State health departments to enforce violations by nursing homes in posting patient images on social media. This development was interesting given that the Office for Civil Rights (OCR), the enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, presumably should already be cracking down on any such violations of resident rights as a violation of HIPAA. According to Modern Healthcare, increased instances of nursing home staff inappropriately posting resident pictures on social media may have sparked this pronouncement by CMS.

Specifically, CMS will more strictly enforce, through State agencies, corrective actions to ensure that employee postings of residents in a degrading manner do not occur in the nursing home setting. Interestingly, the Notice does not discuss nursing homes reporting such employee conduct to OCR, but does indicate that employees should report such postings on social media of residents as abuse “to at least one law enforcement agency.” Continue reading Government Cracks Down On Nursing Home Use of Social Media

mHealth App Use: Is Data Truly Protected?

One of the reasons why consumers, healthcare providers, investors, the government and others have been slow to adopt mobile health applications and software (apps), are concerns about the privacy and security of data collected through the apps. For instance, Appthority, a service provider that offers an app risk management solution, recently reported that the iPharmacy Drug Guide and Pill ID app “is playing fast and loose with your personal info.” www.appthority.com/news/mobile-threat-monday-android-app-leaks-your-medical-info-online. iPharmacy is a free app that allows consumers to maintain a personal health record on their prescription drugs, look up information on a drug, provide reminders, and maintain pharmacy discount cards. Continue reading mHealth App Use: Is Data Truly Protected?

HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others

The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as “covered entities,” as well as their subcontractors and vendors as “business associates” (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.

Continue reading HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others

What the New HIPAA Rules Say About Health Information Technology for Users, Developers and Investors

HIPAA-covered entities and many of their vendors—among them are HIO and EHR consultants, data analytic firms, data transmission facilitators, software vendors and device vendors—rely on health information technology (HIT) to accomplish their purposes. Large data companies, small entrepreneurs and investors are participating in the growth of HIT.

Continue reading What the New HIPAA Rules Say About Health Information Technology for Users, Developers and Investors

New HIPAA Rules Regarding Genetic Information Affect Employers, Group Health Plans, Health Insurers and Healthcare Providers

Because HIPAA includes employer-sponsored group health plans under the definition of insurers, employers that sponsor plans are also affected by the GINA amendments to the HIPAA Privacy Rule (“the GINA amendments”). In addition, the GINA amendments will have applicability beyond the insurance industry because they draw distinctions between permissible and impermissible uses of “genetic information” in connection with the diagnosis of a medical condition. Click here to read more about how the new HIPAA rules regarding genetic information affect employers, group health plans, health insurers and healthcare providers.

Continue reading New HIPAA Rules Regarding Genetic Information Affect Employers, Group Health Plans, Health Insurers and Healthcare Providers

Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans

Employers that sponsor group health plans for their employees should pay careful attention to the newly announced final omnibus rule amending HIPAA in accordance with the HITECH Act of 2009. This final rule under the HITECH Act, issued on January 17, 2013, impacts group health plans in two significant ways. Group health plan sponsors should act now to make changes to existing plan documents, including HIPAA procedures and business associate agreements, in response to the Final Rule.

Click here for an overview of how HIPAA generally applies in the context of employer-sponsored group health plans and these significant changes impacting group health plans.

Continue reading Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans

HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever

The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information (“PHI”), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Click here to read more about the HIPAA “minimum necessary” standard—one of the most essential, yet vague, aspects of the HIPAA Rules.

Continue reading HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever