Health Law Attorney Blog

For those providers and entities that think HIPAA violations are no big deal or that have yet to implement required policies and procedures, they are well advised to review the Department of Health and Human Services July 27, 2010 press release announcing a $1 million dollar settlement related to allegations of violations of HIPAA.

Rite Aid Corporation and its 40 affiliated entities (RAC) agreed to pay $1 million to settle violations under the HIPAA Privacy Rule. The Office of Civil Rights (OCR) which enforces the HIPAA Privacy and Security Rules opened its investigation of RAC after a television media station reported on incidents where pharmacies were shown to have disposed of prescriptions and labeled pills bottles that contained individuals' identifiable information in trash containers accessible to the public.

Such an act of disposing of individuals' health information in places that is accessible to an unauthorized person is in violation of several requirements found in the HIPAA Privacy Rule. The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers including pharmacies, to protect the privacy of patient information, including such information during its disposal.

As part of the settlement agreement, Rite Aid also agreed to take the following corrective action to improve its policies and procedures to safeguard the privacy of its customers: (1) revise and distribute policies and procedures regarding disposal of protected health information and sanction workers who do not follow them; (2) train employees on the new requirements; (3) conduct internal monitoring; and (4) engage a qualified and independent third-party to conduct compliance reviews and render report to HHS.

Continue reading "Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case" »

In addition to the many aspects of the new HIPAA rules modifying the existing HIPAA Privacy and Security Rules, if the proposed rules are finalized, covered entities will be required to make "material modifications" to their Notice of Privacy Practices ("Notice") therefore triggering obligations to revise and distribute the "new" Notices. For example, covered entities will have to revise their Notices consistent with new changes to the patient rights portion of the rule. Specifically, although the current rules allow a covered entity to decline to accept a patient's request for restrictions as stated in the Notice, the proposed rules require a covered entity to agree to a patient's request not to disclose protected health information ("PHI") to a health plan if the purpose of the disclosure to the plan is for carrying out payment or health care operations and the PHI pertains solely to health care services for which the patient or, another person on behalf of the patient, has paid the covered entity in full. In other words, a patient can restrict a health care provider from disclosing PHI to the patient's health plan as long as the patient pays out of pocket for the service in full. Importantly, if the patient's payment is not honored (e.g., the check bounces), the provider is permitted to submit the PHI to the health plan in order to be paid for the service. The health care provider need only comply with the restriction for services in which the provider is paid in full. The Office of Civil Rights ("OCR") makes clear that it does not believe that the intent of the HITECH ACT was to allow patients to avoid their payment obligations to health care providers. The proposed regulations also would require changes to the Notice regarding notifying patients which uses and disclosures require an authorization. The proposed rules would also require covered entities to disclose to patients that most disclosures for PHI for which the covered entity receives remuneration require authorization. The Notice will also have to be revised to reflect the new requirements concerning marketing and subsidized treatment communications. The OCR is also soliciting comments on whether the Privacy Rule should require that the Notice contain a required statement advising patients of the new breach notification obligations with respect to breaches of unsecure information.

Notably, the OCR states that the change to the existing patient rights rule and other changes noted above are "material" thus requiring all covered entities who have Notice obligations to revise their Notices and reissue them. This means that although the handing out of a Notice to a patient is typically a one-time obligation (i.e., continuing patients need not be offered a Notice at every visit), the provider will now have to ensure that all patients are provided a new Notice at their next visit and maintain a copy of the patient's acknowledgment that they have been given a copy of the new Notice. Many providers have not revised their Notices since inception of the Privacy Rule and thus have not had the burden of providing all existing and continuing patients with new Notices. Importantly for health plans, the OCR recognizes that revising and redistributing Notices within 60 days of material changes for health plans is a costly process and thus the OCR is seeking comments on ways in which plans could inform individuals of the changes without imposing a large burden. The OCR is considering many options such as replacing the current 60 day requirement with a requirement that the plan redistribute the new Notice in the next annual mailing such as at the beginning of the plan year or during the open enrollment period and is also considering whether it should make no changes. Obviously, it is in the best interest of plans to proactively comment to the OCR on this important issue.

Continue reading "New HIPAA Rules Will Require Covered Entities To Issue New Notice of Privacy Practices" »

The Department of Health and Human Services ("HHS") today announced a notice of proposed rulemaking regarding HIPAA Privacy and Security. The proposed rule is issued in connection with the amendments and expansion to HIPAA made as part of the Health Information Technology and Economic Clinical Health Act (the "HITECH Act"), enacted as part of the American Recovery and Reinvestment Act of 2009.

The proposed rule is intended to strengthen and expand enforcement of HIPAA Privacy, Security and Enforcement Rules by granting broader patient rights and stronger protections when business associates handle individually identifiable health information.

HHS also launched today a privacy website, designed to inform the public regarding existing HHS health information privacy efforts and policies. HHS also announced that its website for HIPAA breach notifications is to be updated and will now include a search function and summaries of past health information privacy breaches.

Continue reading "Health Information Privacy and Security Strengthened through New Proposed Rule" »

Wisconsin Physician Services (an existing Medicare Carrier and Medicare Administrative Contractor) issued a reminder today on its website for providers concerning the new deadlines for Medicare claims submission. The CMS Medlearn matters article dated May 7, 2010 and effective January 1, 2010 on the subject provides specific details relative to the topic.

For example, Section 6404 of the PPACA has amended the timely requirements to reduce the maximum time period of submissions of all Medicare Fee-For-Service (FFS) claims to one calendar year after the date of service. Additionally Section 6404 mandates that all claims for services furnished prior to January 1, 2010 must be filled with the appropriate Medicare claims processing contractor no later than December 31, 2010.

Section 6404 will impact all physicians, providers, and suppliers submitting claims to Medicare contractors for services to Medicare beneficiaries. Currently, Medicare contractors are adjusting their relevant system edits to ensure that claims with dates of service prior to October 1, 2009 will be subject to a pre-PPACA timely filling rules and associated edits.

While section 6404 does authorize CMS to make specific exceptions to the timely filing requirement, currently, the only exception is found in the filing regulations at 42 CFR section 424.44(b)(1), for "error or misrepresentation" of an employee, Medicare contractor, or agent of the Department that was performing Medicare functions.

Continue reading "System Changes Necessary to Implement the Patient Protection and Affordable Care Act (PPACA) Section 6404- Maximum Period for Submission of Medicare Claims Reduced to Not More than 12 Months" »

A final rule establishing the temporary certification program for electronic health record ("EHR") technology was released today by the Office of the National Coordinator for Health Information Technology ("ONC"). As explained by the HHS press release and in a previous HLP blog about the proposed rule, the HITECH Act of 2009 established incentives for providers for using EHR, but specified that the technology they use must be certified EHR technology. The new final rule sets out the certification program, which will help ensure that the EHR technology providers are using is safe and effective--and fits the "meaningful use" criteria that allows them to qualify for the incentives. Details about the certification program at the Health IT website of HHS.

For more information, contact Robert S. Iwrey, Esq. at (248) 996-8510.

In a not surprising turn of events, days before the June 1st deadline, the Federal Trade Commission ("FTC") announced that it is again delaying the enforcement of the identity theft regulations through December 31, 2010. This latest delay came at the request of certain members of Congress while Congress considers legislation that would affect the scope of entities covered by the identity theft regulations. This is the 5th time that the enforcement has been delayed and physicians are hopeful that a permanent solution will be forthcoming. The legislation under consideration would exempt from the law health care practices with fewer than 20 employees. The FTC's official announcement can be found here. HLP will continue to keep you updated on this topic.

On May 7, 2010, the Office of Civil Rights (OCR) issued guidance on the risk analysis requirement of the HIPAA Security Rule. Many providers have not paid close attention to the actual requirements of the HIPAA Security Rule. In addition to covered entity providers that must comply with the security regulations, business associates that have not implemented the requirements of the HIPAA Security Rule must also do so, thanks to the HITECH Act. The newest OCR guidance should be reviewed as well as past guidance documents. This guidance focuses on the first step in identifying and implementing safeguards consistent with the HIPAA Security Rule. According to OCR, "the guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements." The OCR guidance does draw from recommendations from the National Institute of Standards and Technology (NIST) even though only federal agencies are actually required to follow guidelines set by NIST. We encourage providers and business associates to review the guidance as the HIPAA Security Rule emphasizes that the risk analysis process is a key element in achieving compliance with the regulatory requirements and it is an ongoing evolving process.

For more information, you can visit the HHS Health Information Privacy Page, or contact Abby Pendleton, Esq. or Kathryn Hickner-Cruz, Esq. at (248) 996-8510.

The HIPAA Privacy rule currently provides the right of an individual to receive an "accounting of disclosures," essentially a listing, of occurrences where a HIPAA covered entity has disclosed the individual's information to others--but this rule has not considered disclosures made for treatment, payment, and health care operations information that must be included in the accounting.

Now, the HITECH Act has expanded the list of what must be included in the accounting of disclosures. HITECH, which regulates the use of electronic health records ("EHRs"), provides individuals the right to receive information about disclosures made using the individual's EHR, including for the purposes of advancing treatment, payment, and health care operations. The Health and Humans Services Office of Civil Rights ("OCR") is required to set forth rules that balance the rights of individuals with the burden of reporting on HIPAA covered entities.

OCR has issued a request for information from individuals and providers as the first step in its rulemaking, which you can review here.

For more information on HIPAA and HITECH, please visit the HLP's Compliance and HIPAA page, or contact Kathryn Hickner-Cruz, Esq. or Abby Pendleton, Esq. at (248) 996-8510.

Meaningful use of electronic health records (EHR) technology has recently been expanded to include physicians providing services in outpatient facilities, according to the Continuing Extension Act of 2010. Initially, Congress had intended that only those physicians who purchased and implemented EHR technology would be eligible for the incentive payments, which would leave hospital-based physicians without an opportunity to collect on those incentive payments as the hospital provided the EHR technology for them. We will continue to keep you apprised of any further updates regarding the implication of this new expansion.

Continue reading "Meaningful Use of EHR Technology Expanded" »

The Continuing Extension Act of 2010 was signed into law on April 15. This law reinstates the March 31 Medicare Physician Fee Schedule (Fee Schedule) rates for physicians, postponing, yet again, the anticipated-21.3% cut. The zero percent (0%) update to the Fee Schedule has been extended to May 31 will apply retroactively to claims that have been held since April 1.

Please refer to our previous blog entry on this topic for more background.

Continue reading "Congress Extends 0% Update to Medicare Physician Fee Schedule" »

Today, John Muir Health began notifying its 5,450 patients about a possible breach of their personal and health information. The notifications came two months after two laptop computers were stolen from the John Muir Physician Network Perinatal office in Walnut Creek, California.

Although the laptops were password protected, and there is no evidence that the information has been accessed or used inappropriately, the Hospital decided to notify its patients, as the laptops contained personal and health data going back more than three years.

As a result of the data breach, the Hospital is taking additional safeguards to protect its patients: (i) it is recommending that affected patients place fraud alerts on their credit files; (ii) it will provide its patients will no-cost identify theft protection for one year, and (iii) it has started implementing additional safety measures.

Continue reading "John Muir Health data breach" »

HLP reported earlier this week that the failure of OCR to issue HIPAA regulations regarding the implementation of the HITECH Act was likely to lead to a delay in enforcement of the relevant provisions, though no official delay had been announced.

In an update on its website on Wednesday, OCR has eased some confusion by making the delay official:

Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the [Notice of Proposed Rulemaking] (NPRM) and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

The provisions affected include:

• business associate liability;


• new limitations on the sale of protected health information, marketing, and fundraising communications; and


• stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

The update goes on to remind providers that regulations have been issued--and are being enforced--regarding enforcement and breach notification.

Continue reading "UPDATE: OCR Makes Certain HITECH Enforcement Delay Official" »

While the HITECH Act technically went into effect last month, on February 17, 2010, HHS's Office of Civil Rights ("OCR") has yet to issue guidance and regulations about the implementation of new privacy and security requirements contained in the HITECH Act. Because of this failure, OCR has been hinting that it may delay enforcement of these privacy and security provisions.

OCR intended to issue new HIPAA regulations to meet the HITECH requirements prior to enforcement, and says it still hopes to issue the regs soon enough that a final rule could be issued during 2010. OCR also has not explicitly stated that it will be delaying enforcement--likely to encourage regulated entities to pursue good faith compliance efforts in the meanwhile--though spokesman Mike Robinson has been quoted saying, "It is not correct to characterize an 'effective date' for a legislative provision (which is what the Feb.17, 2010, date is for certain provisions of the HITECH Act) as the 'enforcement date.'"

OCR has also been clear that there will be no delay in enforcing the breach notification rule, which was effective last September.

Continue reading "Office of Civil Rights Hints it May Delay Enforcement of Security Provisions in HITECH Act " »

The Office of the National Coordinator for Health Information Technology ("ONC"), an office of the Department of Health and Human Services, released a proposed rule creating a program to certify electronic health records ("EHR") systems. The rule creates both a temporary and a permanent certification system, designed to assure users to that EHR systems and related technology meets the "meaningful use" criteria of the HITECH Act.

This certification is required by CMS for providers to receive payments in an incentive program created by CMS in January for the "meaningful use" of EHR technology.

ONC hopes to issue the final rule regarding temporary certification by the time that HHS issues final rules regarding meaningful use standards and certification criteria. Both are expected this fall.

The permanent certification program, with a longer comment period, will later replace the temporary program.

Continue reading "ONC Proposes Certification Program for Electronic Health Records Systems" »

Oral arguments began on November 3, 2009 in a case that will test whether defendants in medical liability lawsuits are permitted under HIPAA to conduct informal interviews with plaintiffs' other treating doctors.

The federal Health Insurance Portability and Accountability Act (HIPAA) protects private health information and preserves patient confidentiality. In the case at issue, the plaintiff suing a physician for negligence has denied the physician access to informal interviews with other treating physicians, arguing that HIPAA only allows the disclosure of written medical records--not oral communications, where it is more difficult to predict what protected information might be disclosed. The trial court agreed with this argument, only to be reversed by the Michigan Court of Appeals in 2008. The Appeals Court ruled that, provided the patient was notified through a proper mechanism, such informal meetings were permissible.

Other states have split over whether HIPAA prohibits informal oral interviews in medical liability cases.

Continue reading "Michigan Supreme Court Deciding HIPAA's Impact in Liability Cases" »