Legal Health Information Exchange

Blog Authors

Latest from Legal Health Information Exchange

Yesterday, all at once, OCR announced that it has entered into five new Resolution Agreements — each of them stemming from one or more violations of HIPAA’s right of  access afforded to individuals. There are several interesting observations about these new cases that are worth taking note of. First, although the “penalty” amounts are relatively low, OCR is still definitely intending to set a clear expectation about patients’ right of access afforded under HIPAA. The amounts in these new cases ranged from $3,500 on the low end, which OCR assessed against a psychiatrist in Virginia, and went up to $70,000,…
At the last hour, CMS extended the deadline for publishing much anticipated changes to the Stark Law. Originally expected for publication this past August, CMS extended the deadline to August 2021, noting that “… we are still working through the complexity of the issues raised by comments received on the proposed rule and therefore we are not able to meet the announced publication target date.” Together with the OIG’s counterpart rule, the proposed rules contain the potential for significant modernization of the Stark Law and Anti-kickback Statute as part of the “Regulatory Spring to Coordinated Care” as well as increased…
Seton Hall Law’s Institute for Privacy Protection and Gibbons Institute of Law, Science & Technology is hosting a Virtual Event on September 17th with legal academics, practitioners, and government officials who will evaluate the impact of the COVID-19 pandemic on privacy and intellectual property. Panel One speakers will discuss balancing privacy & public health; Panel Two will discuss Intellectual Property – incentives to access to vaccines & treatments.…
After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July.  At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop.  However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure…
Yesterday, the period for public comment on the FTC’s Health Breach Notification Rule closed.  The FTC’s Health Breach Notification Rule requires vendors of PHRs and PHR-related entities to notify the FTC if they experience a breach of security involving unsecured health information. Another area of change to Breach Notification is arising out of the CARES Act which was was enacted into law on March 27, 2020 and is making significant changes 42 C.F.R. Part 2.  Among other changes that the CARES Act is introducing, it creates an entirely new obligation on Part 2 providers to notify SAMHSA of uses and disclosures of Part 2…
The award will allocate $2.5M to fund up to 5 awards (in the amount of up to $500K EACH) with a period of performance of up to 2 years in the form of cooperative agreements with funding contingent upon availability of funds, satisfactory completion of milestones, and a determination that continued funding is in the best interest of the federal government and the public. SHORT TURN AROUND! Deadline is September 1, 2020 to get Applications in.…
On July 16, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, one of the primary mechanisms used by companies to lawfully transfer personal data outside of the European Union under the GDPR. Despite a prior adequacy determination in 2016, the CJEU found that shortcomings in the Privacy Shield, particularly U.S. security and surveillance laws and an ineffective Ombudsperson program, resulted in a failure to provide essentially equivalent protections to those afforded to individuals within the European Union.…
This past Tuesday the FTC hosted its 5th annual PrivacyCon. It was a GREAT event!  The full-day event covered a wide-range of cutting edge and titillating issues concerning the privacy of data in this day and age of rapidly accelerating technology.  However, it was the morning session which covered Health Apps that interested me the most. In his opening remarks, the Director of FTC’s Bureau of Consumer Protection, Andrew Smith, came out-of-the-gate pointing out that earlier this year HHS issued rules that will make it easier for consumers to access their medical records through the app of their choice, and while…
A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.…
CMS & ONC have promulgated their Final Rules to implement the 21st Century Cures Act. A main goal is to accelerate the access, exchange and use of electronic health information (EHI).  One way this is being accomplished is to require certain entities and actors to provide Application Programming Interfaces (APIs) that use a new standard for data access and exchange called Fast Healthcare Interoperability Resources (aka “FHIR”).  These new standards for adopting FHIR for information exchange is expected to exponentially accelerate individuals ability to access and share EHI through mobile apps, as well as allow any third-party adopting such FHIR…
The HIPAA Enforcement Rule prevents the Secretary/OCR from assessing civil monetary penalties (CMP) against a covered entity or business associate if an Affirmative Defense can be established. A HIPAA violation that is corrected within 30 days of discovery can potentially insulate an organization from CMPs, provided certain requirements are met. But an organization has to make sure that it fits squarely within the requirements of these regulatory defenses to be fully insulated.…
Need access to current information about COVID-19 and Medicare? CMS is holding stakeholder engagement calls to provide an opportunity for hospitals, health systems, and providers. The Webcast sessions are intended to provide updates, share best practices among peers, and offer attendees an opportunity to ask questions of CMS and other subject matter experts.…
New telehealth encounter guidance is available for the Promoting Interoperability Programs and Quality Payment Program. There are 42 telehealth codes eligible for inclusion within the eligible professional/eligible clinician eCQMs for the 2020 performance period. For the 2021 performance period, 39 telehealth codes would be eligible, however, there are also additional eCQMs identified as not eligible for telehealth encounters.…