Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA. As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog… Continue Reading
Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty. The report’s lengthy… Continue Reading
I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact: very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay… Continue Reading
Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog. It is reproduced below: Lost in the Shuffle: The September 23 HIPAA Notice Requirements By Keith R. McMurdy on September 6, 2013Posted in Plan Administration, Welfare Plans… Continue Reading
Tamarra Holmes writes: In recent weeks, people all around the world were made aware of a secret U.S. government surveillance program that essentially collects massive amounts of data from the general public through electronic communication providers, such as Facebook, Skype, and Google. The existence of the program, known as PRISM, was leaked by a former National… Continue Reading
On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlined some direct effects of the new HIPAA Omnibus Rule on employers and their health plans.
While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes.
Here are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information in their job, even without the benefit of the long-awaited Mega Rule.
The principle that individuals whose protected health information is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11th Circuit.
Make the lengthy wait for the long-awaited HIPAA/HITECH Mega Rule more enjoyable by participating in a contest to predict the date of its publication in the Federal Register and the number of its pages.
Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.
The Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals includes focused guidance for covered entities and business associates in the form of brief summaries of the cases that the federal Office of Civil Rights has investigated and closed.
If the PHI flowing through information superhighways and into and out of clouds and other data bases is adequately secured and the increased use and sophistication of health information technology results in improved quality and reduced cost, can anyone reasonably object to this race?
A recent Federal District Court case in Florida reminds us of the mandatory attention that must be paid to the interaction and potential conflicts or dual applicability of state law with HIPAA compliance, especially in the case of data security breaches.
In light of the widely publicized pre-Christmas hacking breach of confidential data held by Stratfor Global Intelligence Service, a company specializing in data security, and the earlier TRICARE/SAIC breach, can we trust that any electronically transmitted or stored information is really safe?
As physicians and other covered entities evaluate EHR systems, a recurring question is security from intrusion or other breach. Counterintuitively, a recent blog post at www.softwareadvice.com suggests that the safest place for health data to reside may be "cloud-based" systems. In the post, entitled HHS Data Tells the True Story of HIPAA Violations in the Cloud, analyst Michael Koploy reviewed the HHS "Wall of Shame" that… Continue Reading
Last week for the first time, the Office for Civil Rights of HHS reported exacting heavy financial obligations from (i) Cignet Health on February 22, 2011, with a $4.3 million civil monetary penalty assessment for violations of the HIPAA Privacy Rule, and (ii) Massachusetts General Hospital on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 for potential violations of HIPAA.
A type of relatively new insurance coverage may be an option for those who worry that even airtight, well-implemented policies and procedures may not be enough to protect a healthcare provider against financial losses from a PHI security breach.
The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light an increasing volume involving highly respected and sophisticated providers and insurers. It has often encouraged such providers and insurers to go well beyond the minimum legally required responses as a matter of… Continue Reading
The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles, reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical… Continue Reading
The Secretary of Health and Human Services (HHS) released today a compendium of reports on state law, business practices, and policy variations to assist health information exchange efforts. I reviewed some of the documents linked through HHS’s e-mail and find it extremely helpful that the government is aggregating resources on its website to be used by all in their HIE and… Continue Reading
On November 1, 2009, the "Statistical Reporting of Abortion Law" was scheduled to go into effect in Oklahoma. A temporary restraining order issued on October 20, 2009, however, has blocked enforcement of the law until at least December 4, 2009.* (Davis v. Edmondson, Okla. Dist. Ct. No. CJ-2009-9154). The Statistical Reporting of Abortion Law is… Continue Reading
I have said it before, and I will say it again — employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient’s medical record for no legitimate purpose. This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock,… Continue Reading
[Installment 4 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]. This is the fourth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT. Over the next several months, my blog entries will continue to discuss some of the threshold issues that face… Continue Reading