HIPAA, HITECH & HIT : New Jersey HIPAA Health Law Lawyer & Attorney : Fox Rothschild LLP Law Firm : Serving Newark, Jersey City, Paterson, Princeton, Mercer County

Using Google Health, a free personal health record tool, requires patients to be proactive both in terms of creating their electronic health record (EHR) and in checking the accuracy of the information loaded into the EHR, particularly when it comes from insurance claims data.  An article published in the April 13, 2009 issue of "The Boston Globe" illustrates how inclusion of raw insurance claims data in an EHR can be misleading and result in inaccurate diagnoses and even life-threatening situations.

• Email This
• Print
• Comments
• Trackbacks

On April 17, 2009, the federal Department of Health and Human Services (HHS) issued guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).  The guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH).  HITECH requires these regulations to be published within 180 days of enactment.  If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached !

In addition to this guidance, HHS has also concurrently issued a request for information (RFI) soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance.  Once published in the Federal Register, the guidance and RFI will also be available for public comment at www.regulations.gov.   View the HITECH Breach Notification Guidance and Request for Public Comment.

The guidance must be updated annually, but HHS may update and reissue it this year, after public comment is considered and at the same time HHS’s breach notification regulation is published.

• Email This
• Print
• Comments
• Trackbacks

The Federal Trade Commission (FTC) posted its proposed rule today implementing new breach notification requirements for health records, which were required to be promulgated by the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  The FTC rule will apply to vendors of personal health records and related entities not covered directly by HIPAA.  

The Department of Health and Human Services is required to issue by August 17, 2009 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA, namely Covered Entities (health care providers; health plans; clearinghouses) and now, as a result of the HITECH Act, Business Associates.  

To review the text of the FTC's proposed rule, click here.  Public comments are due on June 1, 2009.

• Email This
• Print
• Comments
• Trackbacks

The recent changes to HIPAA brought about by the American Recovery and Reinvestment Act (ARRA) and its Health Information Technology for Economic and Clinical Health  (HITECH) Act have received a lot of attention, as of late.  In the meantime, however, an "old" HIPAA notice obligation has crept up, and must by complied with by April 14th!

Under the HIPAA Privacy Rule, covered entity health plans are required "no less frequently than once every three years . . . [to] notify individuals then covered by the plan of the availability of the [health plan's Notice of Privacy Practices] and how to obtain the notice."  See 45 CFR 164.520(c)(1)(ii).  For "large" health plans with an original compliance deadline of April 14, 2003, this 3-year "Reminder Notice" must be released by April 14, 2009. 

A "large" health plan is one that has five million or more in annual gross receipts or claims paid.  Although health insurers (e.g., HMOs, PPOs etc) will generally make up the majority of "large" health plans, employers that sponsor health plans that meet the 5 million dollar threshold will need to comply.

The Reminder Notice does not require large health plans to redistribute its Notice of Privacy Practices, however this is one way that the requirement can be satisfied.  Other ways that the requirement can be met include by mailing a separate "Reminder Notice" stating only that the plan's Notice of Privacy Practices is "available" and how a copy can be obtained.  Such a reminder can also be included in a health plan-produced newsletter, or other plan-produced publication.  The government has posted a FAQ regarding the reminder notice requirement which may offer additional guidance. 

• Email This
• Print
• Comments
• Trackbacks

The abandoned records of an Acton, Massachusetts physician who abruptly closed his office have been saved from the shredder by the last-minute intervention of a local hospital, highlighting a potential gap in state law that may leave patients unprotected in similar situations. 

According to the Boston Globe, Dr. Ronald Moody’s landlord evicted him from his office in September for nonpayment of rent and hired a moving and storage company to clean out its contents, including hundreds of patient charts. The moving and storage company kept the records for six months as required by law, then asked the state medical board to take custody of them after failing to find Dr. Moody. The board responded that it had no authority or budget to move, store or distribute the records, and neither the board nor the moving and storage company was able to take on the burden of locating and contacting the patients. Fortunately, a local hospital stepped in days before the records were scheduled to be destroyed. Concord’s Emerson Hospital, after consultation with the medical board, agreed to seek a court order to take possession of the records.

This incident reveals a flaw in the typical state regulatory approach to medicine and medical records. The medical board had been seeking sanctions against Dr. Moody for continuing to practice after his license had expired in 2007. Dr. Moody was required to maintain records as a condition of his license, but once he let it lapse, there was little the board could do. Like many states, Massachusetts had no statutory provisions for handling abandoned medical records.

In Pennsylvania, a similar situation occurred when a chain of imaging centers, MAIN Medical, suddenly closed in 2005. The state Attorney General’s office took over responsibility for storing the films and records and releasing them to patients.

As economic distress continues to affect healthcare providers, it is likely that this situation may play out again in other states. 

• Email This
• Print
• Comments
• Trackbacks