On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlined some direct effects of the new HIPAA Omnibus Rule on employers and their health plans.
While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes.
CMS should improve its oversight of its electronic health record incentive program, according to a report by the Office of Inspector General released this month. The government watchdog agency faults CMS for both inadequate prepayment safeguards and insufficient postpayment monitoring of recipients of federal funding intended to help cover the costs of adoption and implementation… Continue Reading
The principle that individuals whose protected health information is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11th Circuit.
Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.
The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.
The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services recently released a “sample” letter that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for HIPAA audits in 2012.
Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services Office for Civil Rights, which will increase the frequency and depth of government audits for HIPAA/ITECH compliance over the next year.
Spectators of the Protected Health Information Breach Parade (and of the “silent brigade” of Business Associate breaches) will be awed by the sight of the recent, somewhat bizarre, Business Associate breach involving Stanford Hospital’s emergency room data.
Looking to buy or upgrade your scheduling, billing and collection software? Want to make sure what you’re buying meets the latest HIPAA electronic standard transaction criteria and is able to handle the new ICD-10 codes? Shopping for an Electronic Health Record (EHR) system that includes a practice management component and will qualify for HITECH subsidies? The American Medical Association and… Continue Reading
Last week for the first time, the Office for Civil Rights of HHS reported exacting heavy financial obligations from (i) Cignet Health on February 22, 2011, with a $4.3 million civil monetary penalty assessment for violations of the HIPAA Privacy Rule, and (ii) Massachusetts General Hospital on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 for potential violations of HIPAA.
On January 18, 2011, the office of Attorney General William Sorrell of Vermont announced in a press release that it had settled a lawsuit against Health Net, Inc., involving an alleged PHI security breach, by means of a consent decree which requires court approval.
Early EHR adopters, mark your calendars: CMS will begin accepting registration for participation in the Medicare EHR incentive program beginning January 3, 2010. CMS will post a link to the registration process on its Registration and Attestation page on January 3. The sooner you apply, the sooner you can begin to qualify for the $44,000 in additional Medicare funds per… Continue Reading
The University of Tennessee Medical Center based in Knoxville has apparently recently joined in the march.
The Henry Ford Health System has notified affected patients of a breach involving unsecured PHI.
Significantly, the lawsuit by the Indiana Attorney General is not being brought under HIPAA/HITECH but under Indiana state law.
The virtual "ink" is barely dry on the July 13, 2010 final rule on Stage 1 Meaningful Use criteria, but the federally chartered Health IT Policy Committee is already beginning to talk about Stage 2. Modern Healthcare reports in a September 17 article (registration required) that the advisory body met this week to review a schedule… Continue Reading
by Todd Rodriguez, Esquire In July, the Centers for Medicare and Medicaid Services (CMS) released the much-anticipated final regulations that providers are required to meet in order to receive the Medicare incentives for adoption of a certified electronic health record system. In those regulations, In the final rule, CMS set forth 15 core elements which… Continue Reading
The following is a chart summarizing the 15 "core" objectives which must be met, the menu from which 5 additional objectives must be selected, and the standards by which achievement of these objectives will be measured in order to qualify for EHR funding under the HITECH Act based on the final rules published on July 13, 2010:… Continue Reading
On July 13, 2010, the Department of Health and Human Services released a pair of final regulations (one from CMS, one from the Office of National Coordinator for HIT ) detailing the “meaningful use” criteria which will determine whether users of electronic health records will qualify for the government subsidies under the HITECH Act during… Continue Reading
With a press conference featuring top officials including HHS Secretary Kathleen Sibelius, the Office of Civil Rights rolled out a 234-page Notice of Proposed Rulemaking on July 8, 2010. The full text is here. The agency described the proposed rulemaking as including significant modifications to the HIPAA Privacy, Security and Enforcement rules, as well as resources and… Continue Reading
With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information.
The Health InformationTechnology for Economic and Clinical Health Act or the “HITECH Act” provides incentive payments for adoption and meaningful use of HIT and qualified EHRs. CMS published a proposed rule defining "meaningful use" on December 30. It’s 566 double-spaced pages long, and can be found here: http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf. An eligible physician or other professional… Continue Reading
When I first reviewed the Matrix and other documents released by the HIT Policy Committee’s “Meaningful Use” Workgroup, my initial reaction was “When did defining ‘Meaningful Use’ of EHR morph into attempting to use EHRs to ‘meaningfully’ reform the entire healthcare delivery system.”? More simply put, the Workgroup’s initial recommendations seemed to me to be over-ambitious. The term… Continue Reading