The forecast for Arizona is thunderstorms, at least for at least one health care system. Last week, OCR announced a $1.25 settlement for HIPAA Security Rule violations brought to light by a cybersecurity hacking incident that took place over five years ago.
Continue Reading Not So Sunny News in Arizona – Major Health Care System Agrees to Pay $1.25 Million HIPAA Settlement for Cybersecurity Hacking Incident from 2016
Mobile Health Apps and Vendors of Health Records Beware! – the FTC has just started Enforcing the Breach Notification Rule.
The chickens have come home to roost for GoodRx. The FTC has assessed a $1.5 Million penalty against the telehealth and prescription drug discount provider for failing to report unauthorized disclosures as required by the Health Breach Notification Rule.
Continue Reading Mobile Health Apps and Vendors of Health Records Beware! – the FTC has just started Enforcing the Breach Notification Rule.
HAPPY NEW YEAR! A LOT will be happening in 2023!
The New Year is finally here, and I believe that there will be a LOT going on in 2023! Here are just a few of the things that Legal HIE is looking to stay on top of for our readers this year . . .
Continue Reading HAPPY NEW YEAR! A LOT will be happening in 2023!
Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?
On December 1, 2022, OCR released a “guidance” Bulletin re: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” One of the most troubling positions OCR takes in its Bulletin is that “all IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity . . .” If your organization maintains a website, portal, FB page, mobile application etc., it must review the tracking technologies associated with these immediately.
Continue Reading Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?
Are We Getting Closer to Alignment of 42 CFR Part 2 & HIPAA?
SAMHSA finally fulfilled its duty under the CARES Act & releases a Proposed Rule “Confidentiality of Substance Use Disorder (SUD) Patient Records” amending the Part 2 rules in line with the CARES Act’s requirements. This is the 4th overhaul of the Part 2 Rule in 5 years…
Continue Reading Are We Getting Closer to Alignment of 42 CFR Part 2 & HIPAA?
Information Blocking is No Longer Limited to USCDI
Today, the Information Blocking spigot has officially opened. The Content & Manner Exception no longer applies; now, all electronic health information (EHI) cannot “blocked” if requested (unless another exception applies).
Continue Reading Information Blocking is No Longer Limited to USCDI
Summary List Update of COVID19-related Federal Actions Relevant to Healthcare
As efforts at the federal and individual states level evolve every day at almost a breakneck pace to address challenges and needs related to the COVID-19 outbreak, here is a updated running list of some of the top actions taken at the federal level that we thought would be helpful to the healthcare industry (Caveat, this is not an exhaustive list):
Continue Reading Summary List Update of COVID19-related Federal Actions Relevant to Healthcare
CMS Releases Hospital COP Event Notification FAQs; Interpretive Guidance
On May 1, modifications to the Medicare Conditions of Participation (“CoPs”) went into effect, requiring certain electronic event notifications for admissions, discharges and transfers (“ADTs”) to and from hospitals, critical access hospitals and psychiatric hospitals. To provide guidance to hospitals and state surveyors, CMS released several FAQs as well as interpretive guidance last week to be published in the State Operations Manual.
Hospitals are required to make a “reasonable effort” to ensure that notifications are sent to post-acute care services providers and suppliers, and other practitioners and entities, which need such notifications for treatment, care coordination or quality improvement. Under
Continue Reading CMS Releases Hospital COP Event Notification FAQs; Interpretive Guidance
When Does a Health Care Provider Wear an HIE/HIN Hat for Purposes of the Info Blocking Rule?
Under the Information Blocking Rule (IBR), a health information network (HIN) or health information exchange (HIE) type actor is one that “determines,” “controls,” or has the “discretion to administer” access, exchange or use of EHI between two or more unaffiliated entities. ONC has said that a separate entity is not necessary to trigger the IBR HIN/HIE definition of an Actor. Additionally, ONC has specifically pointed out that a health care system, for example, could wear two IBR actor hats: (1) as a health care provider, and (2) as a HIN/HIE.
Continue Reading When Does a Health Care Provider Wear an HIE/HIN Hat for Purposes of the Info Blocking Rule?
What Information Must be Made Available on Patient Portals?
Well folks, the Information Blocking Rule (IBR) April 5th compliance deadline is behind us at this point. However, I know that many of you are continuing to work through your top IBR challenges and questions one at a time. At this point, I have worked through many thorny IBR issues with numerous health care providers and health information exchanges (HIE), so I thought it might be interesting for me to share what is the main topic that I see Actors are focused on. And the winner is …..
Continue Reading What Information Must be Made Available on Patient Portals?
Information Blocking Compliance — So What Happens on April 5th?
The deadline for compliance with the Information Blocking Rule is just 12 days away! I am certain that all the Actors are working feverishly and diligently to come into compliance with these new requirements by this fast-approaching date. On the bright side, I suppose that we can all be relieved that ONC did not stick with its original deadline date of November 2, 2020. However, even with the extra time Actors may still be scrambling to get all of their ducks in a row by April 5, 2021. So, what are the actual consequences if everything is not “buttoned-up” in time?
Continue Reading Information Blocking Compliance — So What Happens on April 5th?
NEW ONC FAQ: Prior Agreements or Contracts CAN Implicate Information Blocking as of April 5th!
On and after April 5, 2021, any actor’s agreements, arrangements, or contracts are subject to and may implicate the Information Blocking Rule. The Communications Condition of Certification (CCOC) requirements must be revised to remove or void the contractual provision that contravenes the CCOC requirements whenever the contract is next modified for any reason. A Business Associate Agreement should generally not prohibit or limit the access, exchange, or use of the EHI for treatment.
Continue Reading NEW ONC FAQ: Prior Agreements or Contracts CAN Implicate Information Blocking as of April 5th!
How to Use the Privacy Exception to Deny an Abuser Access to EHI
When an Actor wants to potentially deny access of EHI to a person who is suspected of some type of abuse of the individual (the “Abuser”) whose EHI is being sought, the natural inclination is want to look to the Information Blocking (IB) Rule’s Preventing Harm Exception to justify such denial. However, the IB Rule’s Privacy Exception offers additional options and, in certain ways, more flexibility for the Actor to deny a suspected Abuser’s request for EHI.
Continue Reading How to Use the Privacy Exception to Deny an Abuser Access to EHI
Checklist for Info Blocking Compliance
Over the last few weeks, I have come across a number of health care provider organizations that are under the incorrect assumption or belief that their EMR vendor is “taking care of” all that needs to be done in order for the provider to comply with Information Blocking. This is false. There are operational decisions and other process issues that must be addressed and can only be implemented by the Actor. Every health health care provider that meets the definition of an “Actor” should be taking active steps towards getting their organization positioned to comply with Information Blocking by April
Continue Reading Checklist for Info Blocking Compliance
Threading the HIPAA needle through information blocking to block patient access when data is corrupted
How can an Actor/covered entity provider comply with both the Information Blocking Rule & HIPAA when access to EHI/PHI needs to be denied based on harm that arises from corrupted data?
- Delay access to EHI/PHI instead of denying access completely.
- Have a licensed health care professional confirm the denial of access due to data issues.
- Adopt a standing policy “signed off” by a licensed health care professional permitting denials of access in pre-identified scenarios involving data issues.
The Information Blocking (IB) Rule is intended to work in sync with HIPAA, including the “right of access” granted to patients with regard
Continue Reading Threading the HIPAA needle through information blocking to block patient access when data is corrupted
How the ‘Preventing Harm Exception’ changes HIPAA
I believe that the “Preventing Harm Exception” under the Information Blocking Rule is the most challenging exception to decipher and apply. This is particularly so because some of the standards do not precisely track HIPAA, and yet other standards appear to be inconsistent in how they are applied. In this post, I will attempt to distill the Preventing Harm Exception down to its basic elements, as well as point out issues to be aware of as Actors work to implement these new requirements into their compliance processes.
The Preventing Harm Exception can be found at 45 C.F.R. §171.201. Under
Continue Reading How the ‘Preventing Harm Exception’ changes HIPAA