Health Law Attorney Blog

The Office of the National Coordinator for Health Information Technology ("ONC"), an office of the Department of Health and Human Services, released a proposed rule creating a program to certify electronic health records ("EHR") systems. The rule creates both a temporary and a permanent certification system, designed to assure users to that EHR systems and related technology meets the "meaningful use" criteria of the HITECH Act.

This certification is required by CMS for providers to receive payments in an incentive program created by CMS in January for the "meaningful use" of EHR technology.

ONC hopes to issue the final rule regarding temporary certification by the time that HHS issues final rules regarding meaningful use standards and certification criteria. Both are expected this fall.

The permanent certification program, with a longer comment period, will later replace the temporary program.

Continue reading "ONC Proposes Certification Program for Electronic Health Records Systems" »

Oral arguments began on November 3, 2009 in a case that will test whether defendants in medical liability lawsuits are permitted under HIPAA to conduct informal interviews with plaintiffs' other treating doctors.

The federal Health Insurance Portability and Accountability Act (HIPAA) protects private health information and preserves patient confidentiality. In the case at issue, the plaintiff suing a physician for negligence has denied the physician access to informal interviews with other treating physicians, arguing that HIPAA only allows the disclosure of written medical records--not oral communications, where it is more difficult to predict what protected information might be disclosed. The trial court agreed with this argument, only to be reversed by the Michigan Court of Appeals in 2008. The Appeals Court ruled that, provided the patient was notified through a proper mechanism, such informal meetings were permissible.

Other states have split over whether HIPAA prohibits informal oral interviews in medical liability cases.

Continue reading "Michigan Supreme Court Deciding HIPAA's Impact in Liability Cases" »

The Harris County Hospital District of Houston fired 16 employees last month for a major violation of the Health Insurance Portability and Accountability Act (HIPAA), which protects confidential patient information. The hospital district has not disclosed additional details about the violation, instead issuing a statement saying, "The Harris County Hospital District, in all circumstances, is guided by the best interests of our patients, especially in matters of patient's protected health information, and our policies that protect our patients privacy are always vigorously enforced. Actions by the hospital district were the result of steadfast diligence performed in the best interests of our patients."

However, the Houston Chronicle reports that the violation may have involved reviewing the medical records of a first-year resident at the Ben Taub General Hospital who had become a patient after a shooting.

Continue reading "HIPAA Violation Results in Sixteen Firings in Houston" »

Health Net became the latest company that lost data containing personal, financial and medical information of hundreds of thousands of Connecticut residents. The data disappeared from Health Net in May, but the company never informed consumers (or authorities) about the breach of privacy until about two weeks ago (a six-month delay).

A spokeswoman for Health Net, said they were initially unable to determine what information was on the lost drive, forcing the company to conduct a lengthy investigation, which included a detailed forensic review by computer experts. To date, the company said it has not had any reports of misused data.

This is not the first data breach impacting Connecticut residents. Earlier this month, the Attorney General demanded answers and identity-theft protection for nearly 19,000 health professionals in the state whose confidential data was on a stolen laptop computer taken from the Blue Cross and Blue Shield Association in the Chicago area. The laptop disappeared in August, but Anthem did not notify the affected doctors, therapists and other professionals about the breach until October, a move that also drew criticism from the Attorney General.

As previously outlined in this blog, a Final Rule was recently published, clarifying covered entities' and business associates' liabilities for breaches of patients' unsecured PHI. The Final Rule was effective September 23, 2009. In summary, the Final Rule clarifies that when a breach occurs:

- A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach;

- A covered entity must notify the media in the event of a breach of unsecured PHI involving more than 500 residents of a State or jurisdiction;

- A covered entity must notify HHS in the event of a breach of unsecured PHI involving 500 or more individuals.

- A business associate must notify the covered entity of any breach of unsecured PHI.

Continue reading "Health Care Data Breach" »

HIPAA enforcement will be strengthened by an interim final rule posted today by the U.S. Department of Health and Human Services (HHS). The new rule increases significantly the penalties that may be imposed for HIPAA violations under the Health Information Technology for Economic and Clinical Health (HITECH) Act. HHS believes that the higher penalties will increase compliance with the privacy protections of the Health Insurance Portability and Accountability Act.

You can view the Department of HHS's press release here, and the text of the new rules here.

Continue reading "New HIPAA Rules Posted Today" »

In Little Rock, Arkansas, Dr. Jay Holland, Sarah Miller, and Candida Griffin were sentenced this week for violating the Health Insurance Portability and Accountability Act (HIPAA). According to the U.S. Department of Justice press release, the three individuals plead guilty on July 20, 2009 "to misdemeanor violations of the health information privacy provisions [of HIPAA] based on their accessing a patient's records without any legitimate purpose." The U.S. Attorney for the Eastern District of Arkansas stated that she hoped that the sentencings would "send the message that the HIPAA protections apply to every person in the community."

Holland was sentenced to one year of probation, a $5000 fine, and 50 hours of community service while Miller and Griffin were sentenced to a $2500 and $1500 fine, respectively.

Continue reading "HIPAA Violators Sentenced" »

The HITECH Act (The Health Information Technology for Economic and Clinical Health Act), enacted February 17, 2009, significantly supplemented and altered the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). One such provision of the HITECH Act made both covered entities and their business associates liable for breaches of patients' unsecured protected health information ("PHI").

On August 24, 2009, a Final Rule was published in the Federal Register, which clarified covered entities' and business associates' liabilities for breaches of patients' unsecured PHI. This Final Rule is effective September 23, 2009.

In summary, the Final Rule clarifies that when a breach occurs,

- A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach;

- A covered entity must notify the media in the event of a breach of unsecured PHI involving more than 500 residents of a State or jurisdiction;

- A covered entity must notify HHS in the event of a breach of unsecured PHI involving 500 or more individuals.

- A business associate must notify the covered entity of any breach of unsecured PHI.

The Final Rule also provides guidance regarding what constitutes "unsecured" PHI, updating previous guidance on this issue.

Continue reading "HITECH Act Breach Notification Final Rule Published" »

HHS turns HIPAA over to the Office for Civil Rights. Today, Kathleen Sebelius--Department of Health and Human Services (HHS) Secretary--transferred the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule's delegation from the Centers for Medicare and Medicaid Services (CMS) to the Office for Civil Rights (OCR). The HHS contends that this "will eliminate duplication and increase efficiencies in how the department ensures that Americans' health information privacy is protected."

HIPAA's Security Rule enumerates various security procedures for covered entities to ensure protection of protected health information (PHI) in connection with electronic health records. Alongside HIPAA's Security Rule is the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provides greater protections for PHI through electronic health records.

Continue reading "HIPAA Designated to Office for Civil Rights" »

Ambulatory Surgery Centers ("ASCs") need to take note of additional federal Conditions for Coverage ("CFCs") governing patient rights that took effect May 18, 2009. The Amendments to these CFCs, which the Centers for Medicare and Medicaid Services (CMS) published on November 18, 2008, are codified at "Part 416 - Ambulatory Surgical Services" (42 CFR 416.50).

According to the amendment, the ASC is required to:

• notify the patient of his or her rights both verbally and in writing prior to the patient's procedure,


• inform the patient of its policies regarding advance directives, and document the patient's decision to use an advanced directive in his or her chart,


• and establish a policy to document and respond to patient grievances.

• employ his or her rights,


• file grievances,


• and receive complete information about the procedure he or she is to receive prior to its inception.

• privacy,


• safety,


• and freedom from maltreatment.

In sum, ASCs need to ensure that they enact (or, as necessary, modify any existing) policies and procedures to conform with the requirements under the new CFCs. Further, insofar as these obligations already have become effective, it is imperative that ASCs act expeditiously to create or amend those patient rights' policies required by the CFCs.

For the full text of the amendment, please click here.

Continue reading "New ASC Conditions for Coverage Have Taken Effect" »

The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as a part of the American Recovery and Reinvestment Act of 2009 (ARRA) (i.e., the Stimulus Bill), requires the development of regulations requiring certain covered entities to provide thorough notification in the cases where there has been a breach of unsecured protected health information (PHI). These regulations will apply to covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This notification may include, depending on the size of the breach and the urgency of notification, written notice to the individual, conspicuous posting on the website, telephone contact when urgent, notice to prominent media outlets, notice to the U.S. Department of Health and Human Services (HHS) Secretary, and/or posting on the HHS web site.

However, these notification procedures can largely be avoided if the PHI has been secured through one of a number of methodologies or technologies.

On April 17, 2009, HHS issued guidance that specifies methodologies and technologies whose use renders information sufficiently unusable. Essentially, use of these methodologies creates a safe harbor, which results in covered entities and their business associates not being required to go through the notification procedures because the information breached is considered secured (secured PHI is unusable, unreadable, or indecipherable to unauthorized individuals).

HHS and the Federal Trade Commission (FTC) are each preparing to issue breach notification regulations. HHS regulations will apply to covered entities and business associates under HIPAA; FTC regulations will cover vendors of personal health records and other non-HIPAA covered entities.

The HHS guidance issued last month relates to these two forthcoming regulations, and suggests that successful encryption (depending on the strength of the encryption algorithm and the security of the descryption key or process) and destruction (of paper or electronic forms of information) are the only methodologies that sufficiently secure PHI. HHS is seeking comments and input regarding additional technologies, risks of re-identification, the use of limited data, and other considerations, to be received by May 21, 2009.

Continue reading "HHS Issues HITECH Act Guidance for Securing PHI Relative to Breach Notification Regulations" »

The Health Information Technology for Economic and Clinical Health Act ("HITECH Act" or the "Act") included in the "Stimulus Bill" significantly expands HIPAA privacy and security provisions. Health care organizations and providers may be interested in some of the critical aspects of the HIPAA privacy and security portions as follows:

• Required Notification for Information Breaches:

Effective 30 days after the Secretary of the Department of Health and Human Services ("HHS") publishes interim final regulations (which regulations are due within 180 days from the enactment of the legislation), covered entities and business associates will be required to follow certain notification protocols when a person's unsecured protected health information has been breached. This includes individual notification to consumers and, depending on the number of individuals whose information is involved, media notification. Notification must also be made to the Department of HHS immediately if the breach involves 500 or more individuals. If the breach involves less than 500 individuals, the provider can maintain such information on a log, which must be provided annually to HHS.

• Required Accounting of Disclosures Involving Electronic Health Records:

As many providers are aware, under the current HIPAA regulations providers need not provide individuals with an accounting of disclosures of their health information if the disclosure is related to treatment, payment activities or health care operations ("TPO") of the provider. Although the implementation date is set into the future, under the HITECH Act, providers who use or maintain electronic health records will be required to account for TPO disclosures. In such cases however, the accounting period is limited to three (3) years prior to the date on which the accounting is requested. The Act directs the Secretary of HHS to implement regulations on what information has to be collected about each disclosure. The effective dates for this new requirement are dependent upon whether the provider acquired an electronic record as of January 1, 2009 or after January 1, 2009.

Continue reading "HITECH Act - HIPAA Privacy and Security Expanded by the Stimulus Bill" »